Security camera and smart device maker Wyze Labs has confirmed a data breach that left exposed a database containing information on reportedly 2.4 million of its users.

Wyze Co-founder Dongsheng Song confirmed the data breach on December 27 and said the exposed database contained a large amount of personal, product and some medical information.

  • Username and email of those who purchased cameras and then connected them to their home.
  • Email of any user they ever shared camera access with such as a family member.
  • List of all cameras in the home, nicknames for each camera, device model and firmware.
  • Wi-Fi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from app.
  • API Token for access to user account from any iOS or Android device.
  • Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera.
  • Height, weight, gender, bone density, bone mass, daily protein intake, and other health information for a subset of users.

Song detailed the chain of events noting the company received notice of the open database on December 26 when the cybersecurity firm Twelve Security posted news of the lead.

“In this case, both the company’s production databases were left entirely open to the internet. A significant amount of sensitive information generated by 2.4 million users, all coincidentally outside of China, was the result,” Twelve Security wrote.

Wyze has not confirmed the number of its customers affected.

The database itself, which had just been created, was initially set up correctly, but an employee made an error on December 4 leaving the information exposed, Song said.

“We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened,” Song said in a post on the company’s website.

As an added precaution Wyze has refreshed its iOS and Android API tokens even though there is no evidence they were compromised.

The company is in the process of information those affected but did not say when the notifications would be sent.

Song apologized for the breach but defended his company’s overall approach to securing its products.

“We’ve often heard people say, “You pay for what you get,” assuming Wyze products are less secure because they are less expensive. This is not true. We’ve always taken security very seriously, and we’re devastated that we let our users down like this,” he said.