Wyze, a brand best known for their budget security cameras, announced in a post on the brand’s forums that it had suffered what is likely to be the last major data breach of the 2010s.
According to the company, more than 2.4 million records were exposed after a database containing user information was left unprotected for nearly four weeks.
Wyze’s Announcement of the Breach
The records were left unsecured when a company employee copied information from one database to another and failed to follow internal security policies, resulting in an unprotected database.
In the company’s post, a member of the Wyze team said that passwords, government ID information, video files and user financial info was not at risk. However, device information and metrics — including Alexa integration tokens — were made available by the breach and may have been accessed by unauthorized parties.
The company also said that the breach lasted for 23 days, starting on December 4 and continuing through December 26. Wyze learned of the vulnerability on the 27th.
In response to the breach, the company has taken a few different security measures — including forcing users to re-login to accounts, refreshing API tokens and un-linking third-party integrations.
These measures should prevent hackers from using any stolen tokens to access Wyze devices or user accounts.
According to the company’s statement, their internal investigation isn’t finished yet, meaning that the total number of records exposed could grow over the next few weeks as more information becomes available.
2019 in Data Breaches
The breach came at the end of a year that was one of the worst so far for data breaches. 2019 featured a number of high-profile hacks and breaches, including those suffered by big names like Capital One and Facebook.
As with Wyze, most of these breaches were less about the skill of hackers and cyber criminals and more about serious security vulnerabilities and poor security practice.
Capital One’s records were exposed by a misconfiguration of the company’s firewall that allowed a hacker to access their network without being detected. It’s possible that the only reason Capital One became aware of the breach is because of how public the hacker was about both the hack itself and the data she stole.
Amazon, who provided the firewall via their cloud platform, Amazon Web Services, has denied responsibility for the breach — but also pushed an update that should provide companies with better defenses against the kind of attack the hacker used.
The multiple Facebook breaches this year were also less about hackers and more about poor data security. After a company announcement in March that millions of Instagram passwords had been stored in plain text, Facebook disclosed that more than 400 million phone numbers linked to user accounts were totally unprotected.
Additional unsecured records were found to contain even more information — including names, genders and locations.
It’s likely that as data becomes more valuable, these breaches will only become more common over the next few years. Because of this, it’s important for individuals to take the necessary security precautions when sharing information on their computers and mobile devices.
What the Wyze Breach Means For Cyber Security
The Wyze breach was serious — however, even though 2.4 million records is nothing to laugh at, it may be overshadowed by this year’s other major breaches.
If this breach is remembered, it will likely be as a cautionary tale used to explain the importance of following security policies.
In the future, the Wyze breach may be a useful point of comparison as these kinds of breaches — those caused by internal security mistakes — become more common as data moves to the cloud and companies hold on to larger and larger sets of customer data.