A recent security breach has leaked the information of over 2.4 million Wyze security camera users. The compromised database was left unsecured and publically accessible, and it appears that the information was being collected and stored by the Alibaba cloud computing company in China.
According to data security consulting firm Twelve Security’s report on the breach, the user data that was left publically accessible includes:
- Username and email of those who purchased cameras and then connected them to their home
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, the nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from the app
- API Tokens for access to the user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, weight, gender, bone density, bone nass, daily protein intake, and other health information for a subset of users
Just one of those bullet points would be enough for concern, but the volume of compromised user data is staggering—if true. (Wyze disputed some of the claims in its response.)
If you use any of Wyze’s products, you need to change your password and update your security options immediately so that no one can break into your account using leaked info. (You might also want to manually log out of your account and log back in, and make sure you disable and reenable any connected services, if applicable.)
You can follow this link to change your password through either the Wyze app or website. Next, you should tighten your Wyze account security by enabling two-factor authentication, if you haven’t already. Here’s how:
- Go to the “Account” tab in the Wyze app.
- Tap your email address.
- Scroll down to the Security section and enable “Two-Factor Authentication.”
- Add your phone number then tap “Verify Phone Number.”
- You’ll receive a text with a verification code. Enter the code in the verification field then tap “Next” to finish the process. You’ll now receive a verification code via text each time you log in. You can also add a backup phone number in case you lose access to the other device for whatever reason.
While a new password and two-factor authentication will help keep your account safe, we should point out that this method—sending a confirmation number over text—isn’t as good as true two-factor authentication, and in some cases may not help at all.