Wyze suffers big data breach: What to do
Your email address may have been exposed
If you've bought one of Wyze's inexpensive security cameras, you've receive some unwelcome news over the holidays. The smart home device maker suffered a security breach that exposed some data for millions of its customers.
The Twelve Security blog first reported on the breach right after Christmas, and Wyze soon confirmed that some user data stored on one of its databases had not been secured "and left exposed from December 4th to December 26th." The breach affects anyone who created a Wyze account prior to Dec. 26; Twelve Security estimates that affects as many as 2.4 million people.
There's a sliver of good news here: None of the exposed information included passwords, customer financial data or video files. That shouldn't stop you from using good password practices, like turning to one of the best password managers and never re-using passwords.
According to Wyze, exposed information includes user emails, profile photos, Wi-Fi router names and some Alexa integration tokens. Other information left exposed on the company's database included device names and Wyze nicknames.
Twelve Security's report claimed that API tokens for accessing user accounts from iOS or Android devices was exposed, though Wyze said it hasn't found evidence of that. Still, it refreshed those tokens as a precaution.
Wyze disputes another Twelve Security claim that leaked data included health info such as height, weight, gender and bone mass density.
"Wyze was beta testing new hardware and some of this information was in the database. We had this information for about 140 external beta testers," the company said. "We have never collected bone density and daily protein intake and we wish our scale was that cool."
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
If you've got a Wyze camera, you'll need to relink any Alexa skills to the device since Wyze has refreshed Alexa tokens as well as tokens for Google Assistant and IFTTT. You'll also need to log back into your Wyze account.
Because your email address may have fallen into the hands of third parties, Wyze cautions you to be on the lookout for phishing attempts or other spam.
Wyze devices are popular in part because of their low price — the Wyze Cam 1080p, for example, costs less than $30 but offers a ton of features. This data leak may add to the perception that low-cost security devices are prone to breaches. (Cheap baby monitors seem particularly vulnerable to hackers.) But in its post on the data leak, Wyze disputed the notion that its products are less secure because of their low price.
"We’ve always taken security very seriously, and we’re devastated that we let our users down like this," the company said. "This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication."
Philip Michaels is a Managing Editor at Tom's Guide. He's been covering personal technology since 1999 and was in the building when Steve Jobs showed off the iPhone for the first time. He's been evaluating smartphones since that first iPhone debuted in 2007, and he's been following phone carriers and smartphone plans since 2015. He has strong opinions about Apple, the Oakland Athletics, old movies and proper butchery techniques. Follow him at @PhilipMichaels.