A consulting firm called Twelve Security has uncovered Wyze data leak, which resulted in the sensitive data of millions of users being exposed online. Anyone could access the database that was left open for several weeks. Wyze Labs is a US startup company founded by several former Amazon employees that focuses on manufacturing inexpensive smart devices for home, including cameras.

The researchers said, “If this was intentional espionage or gross negligence, it remains a malicious action that must be answered in the form of a decisive, external, and fast investigation by US authorities."

The personal information included usernames, email addresses, Wi-Fi SSIDs, API tokens for both Android and iOS, Alexa integration tokens, a list of camera names, and some health information such as gender, height, and weight for beta users.

Twelve Security also claimed that exposed information included bone density and daily protein intake, however, the company denies it and says that it had never collected such data (except for the body metrics in beta-testing). The consulting firm also stated that Wyze used to send data to the Alibaba Cloud in China. Dongsheng Song, the company’s co-founder, also disproved it in a forum post and said that the company does not share any data with government agencies.

Wyze discovered the issue on December 26th, according to the company’s co-founder Dongsheng Song. On December 27th, the chief product officer wrote in a forum post, “Today, we are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th.”

Shortly after, Dongsheng Song said that the company had discovered another unprotected database. It is unknown what data was involved, but no financial information or passwords were obtained. All of the databases have been “locked down.” About this, Wyze said:

This is a clear signal that we need to totally revisit all Wyze security guidelines in all aspects, better communicate those protocols to Wyze employees, and bump up priority for user-requested security features beyond 2-factor authentication.

The company says that the data leak occurred because of a human error that resulted in the temporary removal of security protocols on December 4th. An employee copied data from one database to another and failed to maintain security protocols.

Song stated in a blog post:

We’ve always taken security very seriously, and we’re devastated that we let our users down like this. We are working on an email notification to all affected customers and plan to release it in the near future.

For now, Wyze has logged out its customers and asks them to log in again and reset their account passwords.