The issue was uncovered by consulting firm Twelve Security, who announced that sensitive user data had been left exposed on the internet. This included a staggering array of personal information including email addresses, a list of cameras in the house, WiFi SSIDs and even health information including height, weight, gender, bone density and more.
The Twelve Security researcher who disclosed the issue wrote that the database of information was live and open, with anyone able to access it. They described it as the largest breach they had even seen in their ten year career, and concluded, "If this was intentional espionage or gross negligence, it remains a malicious action that must be answered in the form of a decisive, external, and fast investigation by US authorities."
For its part, Wyze responded with a series of forum posts confirming the leak but denying some parts of the Twelve Security report. "We are confirming that some Wyze user data was not properly secured and left exposed from December 4th to December 26th," the company said. It denied that it had leaked bone density information, for example, but confirmed it had leaked "body metrics" for a small number of beta testers.
Wyze says it is investigating what happened and how the leak occurred, and that it plans to send an email notification to affected customers. In the meantime, if you have a Wyze account it's a good idea to change your password and turn on two-factor authentication.