The target: Wyze, a Seattle-based smart home device maker.
The take: Email addresses, IP addresses, WiFi SSID’s and device information of 2.4 million customers.
The attack vector: During the deployment of a new database, a mistake by an employee removed all of the security protocols governing the system, thus exposing the information. In total, two exposed Elasticsearch databases and one MySQL production database were freely accessible and the attackers were then able to access and download the leaked information.
Deployment of new technology is a potentially critical point of vulnerability. Any changes intended for the production environment should be tested in a private staging environment and audited/tested wherever possible to avoid introducing gaps into a firm’s security posture.