Wyze Labs, which makes smart cameras and connected home gadgets, has confirmed databases holding millions of customers’ information were exposed to the public.
The first data leak exposed customer email addresses, as well as the email addresses of those people who were given permission to view the camera feeds. A list of cameras in customers’ home and tokens used to connect to smartphones and personal assistants such as Alexa were also left open for public view. That database was left exposed from December 4 until December 26.
The breach was disclosed on December 26 by Twelve Security and quickly confirmed by Wyze. Twelve Security said the data breach involved 2.4 million customers worldwide. Wyze said no customer passwords or financial information was contained in the database that was left unprotected.
Wyze on Monday said a second database had also been exposed. It did not give details of what information is on that database, although it said it also did not include passwords or financial information.
As part of the response to the original data leak, Wyze logged out their customers and required them to log in again to create new tokens.
Wyze, which was started by three former Amazon employees, makes cameras that cost as little as $20, much less than the hundreds of dollars that many competing products cost. The price is one of the reasons CNN Business listed it as one of the top tech gifts of 2019.
But as smart home devices, such as cameras, become more common, a growing number of hackers have sought to access them. Earlier this month, four families with Ring cameras reported that hackers had accessed their system and talked to them. One told an 8-year old girl that he was Santa Claus, and urged her to destroy the room.
Ring, which is owned by Amazon (AMZN), said the system invasion was not the result of a breach or failure of Ring’s security. Instead, it said the hackers had likely gained access to the family’s account through weak or stolen login credentials.