Catalin Cimpanu on zdnet.com:
Song said the exposed database — an Elasticsearch system — was not a production system; however, the server was storing valid user data.
Elasticsearch is a really powerful tool, but it loves data. The more the merrier. If you designed a safe(ish) production environment and change management process for it — then things should be ok. But dev environments usually have more relaxed rules - which is ok, they also have less less data to work with - which is a pain to test, which usually leads to “lets just copy prod data for a test” - which becomes the weakest link in your security chain without you realizing it.
Song confirmed that the leaky server exposed details such as the email addresses customers used to create Wyze accounts, nicknames users assigned to their Wyze security cameras, WiFi network SSID identifiers, and, for 24,000 users, Alexa tokens to connect Wyze devices to Alexa devices.
As a big Wyze user: dammit.