I could tell something was wrong by the awkwardly formal introduction of the email we just received:
There is nothing we value higher than trust from our users. In fact, our entire business model is dependent on building long-term trust with customers that keep coming back. We are reaching out to you because we’ve made a mistake in violation of that trust. On December 26th, we discovered information in some of our non-production databases was mistakenly made public between December 4th – December 26th. During this time, the databases were accessed by an unauthorized party.Wyze cam data breach update
“Wyze Cam” suffered a data breach and user data was stolen. The company just sent out an email informing their customers about what happened.
Let’s repeat together: Digital products make great targets for hackers. I am a target because I use digital products.
To be fair, the “unauthorized party” did not “access” (access = steal) sensitive data like credit card data, video footage or passwords.
The hackers accessed Wyze device names, user emails, profile photos, WiFi router names, and some Alexa integration tokens.
That’s good and probably an indicator of a segregated infrastructure. (A security process to make it harder to access and steal data.) In this case the hacker didn’t actually have to “break in” because the door was left open. And believe me, that happens more often than we think it would.
“Information in some of our non-production databases was mistakenly made public“Wyze cam data breach update
It reads like the developer-team did a mistake and accidentally left a non-production database open.
Doesn’t that clearly show that people make mistakes and also that hackers are waiting for those to happen. (Because it’s a lot easier.)
A Person + Large Database + “Tiny Mistake” = Big Problem
As a user you can’t really do anything about a company’s data security and protocols. You really do have to rely on them doing their homework.
Let’s pretend your account password and email would have been stolen: The hackers could immediately use this data to perform “credential stuffing” – an automated protocol that would test your data with the most common platforms such as facebook, gmail and others.
Although in this case it’s just a hypothetical scenario: The only thing preventing credential stuffing from working is when you either NEVER REUSE YOUR PASSWORDS and have a dedicated password for each account or have TWO FACTOR AUTHENTICATION enabled.
So, we are not surprised about this paragraph in the email. However, we would have “urged” the users to add two-factor authentication, explained a little bit more about what it is and how it locks out hackers. From our perspective the term “may” is way too polite and does not stress action.
As an additional security measure, we recommend that you reset your Wyze account password. Again, no passwords were compromised, but we recommend this as a standard safety measure. You may also add an additional level of security to your account by implementing two-factor authentication inside of the Wyze app.Wyze cam data breach update
Securing your accounts is not hard. It’s just diligence.
Let this be a friendly reminder for you to secure your accounts with strong passwords and two-factor authentication.