The lawsuit alleges that Wyze was negligent and failed to abide by U.S. Federal Trade Commission regulations for managing customer information. The plaintiff, Matthew Schoolfield of Texas, is seeking class-action status in the lawsuit.
“Not only does the exposed data make Wyze customers more susceptible to identity theft and financial fraud in the future, it is now possible for any individual anywhere in the world to access the live video feeds of every single Wyze camera that was online,” the suit alleges.
We’ve contacted Wyze seeking comment on the suit. At the time of the breach, the company said it resulted from human error, a common cause of such issues. The company said the problem occurred in the process of developing new ways to measure metrics such as device activations and failed connection rates.
“We copied some data from our main production servers and put it into a more flexible database that is easier to query,” Dongsheng Song, Wyze co-founder and chief product officer, wrote in a post about the breach in December. “This new data table was protected when it was originally created. However, a mistake was made by a Wyze employee on December 4th when they were using this database and the previous security protocols for this data were removed.”
Founded in 2017 by a group of Amazon veterans, Wyze offers a series of low-priced cameras, locks, plugs, bulbs and other smart-home devices. The company, based in Kirkland, Wash., raised $20 million just over a year ago. Wyze was separately in the news after another Seattle startup, Xnor.ai, backed out of a deal to provide its person recognition technology to Wyze cameras before Xnor was acquired by Apple.
Twelve Security first spotted the breach and publicized it in December, claiming that the leaked data included the following:
- User name and email of those who purchased cameras and then connected them to their home
- Email of any user they ever shared camera access with such as a family member
- List of all cameras in the home, nicknames for each camera, device model and firmware
- WiFi SSID, internal subnet layout, last on time for cameras, last login time from app, last logout time from app
- API Token for access to user account from any iOS or Android device
- Alexa Tokens for 24,000 users who have connected Alexa devices to their Wyze camera
- Height, Weight, Gender, Bone Density, Bone Mass, Daily Protein Intake, and other health information for a subset of users
Wyze quoted that list in its original post about the breach but added, “We don’t collect information about bone density and daily protein intake even from the products that are currently in beta testing.”
Here’s the full suit: