What just happened? IoT vendor Wyze, which makes budget smart devices such as security cameras and smart door locks, has confirmed it accidentally left an internal database exposed online, leaking the details of up to 2.4 million customers.

Cybersecurity firm Twelve Security was first to notice and announce the issue. It said the exposed information included email addresses, a list of cameras in the home, API Tokens, WiFi SSIDs, and health data such as height, weight, gender, bone density and mass, protein intake, and more.

"If this was intentional espionage or gross negligence, it remains a malicious action that must be answered in the form of a decisive, external, and fast investigation by US authorities," wrote the Twelve Security researcher.

Wyze co-founder Dongsheng Song has confirmed that the user data was not properly secured and left exposed from December 4 to December 26. He stressed that passwords and personal finance details were not included in the leak, adding that the database—an Elasticsearch system—was not a production system, though it was storing user data.

To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.

We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed. We are still looking into this event to figure out why and how this happened.

Wyze has denied some parts of the Twelve Securities report, including that it leaked API tokens, bone density information, and protein intake, though it admits “body metrics” for a small number of beta testers were exposed. It is investigating the leak and plans to notify affected customers via email.