After what should have been an outstanding holiday season for Wyze and its low-cost smart home cameras, the company is now admitting to a data breach at what may be the worst time possible.
Over the weekend, Wyze confirmed security researcher Twelve Security’s claim that more than 2.4 million Wyze users have been affected by a breach that left their personal information, including e-mail addresses and Wi-Fi network names, exposed and accessible on the Internet.
“To help manage the extremely fast growth of Wyze, we recently initiated a new internal project to find better ways to measure basic business metrics like device activations, failed connection rates, etc.,” Wyze said in a statement. “We copied some data from our main production servers and put it into a more flexible database that is easier to query. This new data table was protected when it was originally created.”
During its investigation last week, Wyze discovered that an employee made an error when they had accessed the database and removed all security protocols, leaving the database accessible to the public. In an update to that statement on Sunday, Wyze said that it had “discovered an additional database that was left unprotected.” The company didn’t say how many users were affected in that breach and whether any malicious actors had accessed the information.
Like countless other companies that have suffered data breaches of late, Wyze was apologetic, saying that it’s “very sorry for this oversight.”
Wyze did not respond to Fortune‘s request for comment.
Founded in 2017 by former Amazon employees, Wyze has spent the last two years trying to make a name for itself in the crowded smart home market by selling low-priced alternatives to a variety of smart home devices, like cameras, light bulbs, and smart plugs.
The effort appeared to work. When Amazon released a list of its holiday bestsellers last week, Wyze’s budget-friendly indoor security camera was one of the most purchased electronics this year.
Now, all of those shoppers might be wondering if their data was exposed. It likely was: the customer databases were exposed December 4-26.
Worst of all for Wyze, a recent Amazon move could ruin its holiday success.
Amazon announced earlier this month that it was expanding its free return policy on the “millions of items” under 50 pounds that it sells and fulfills from its distribution centers. The policy affects all purchases made between November 1 and December 31, and extends the free returns to January 31.
Therefore, on Amazon, where Wyze products are especially popular, customers who bought Wyze devices over the holidays can easily return them, free of charge and for any reason, anytime between now and the end of January.
Over the past couple of years, Wyze has been criticized at times by commenters on social media for selling cheaper devices who fear that, due to their lower cost, they could be less secure than higher-priced alternatives. In light of the latest breach, Wyze is once again facing those comments.
In its statement, Wyze directed its attention at those critics and said that its devices are secure, even if they cost significantly less than competing products from Ring, Philips, and others.
“We’ve often heard people say, ‘You pay for what you get,’ assuming Wyze products are less secure because they are less expensive. This is not true,” the company said. “We’ve always taken security very seriously, and we’re devastated that we let our users down like this.”
Wyze added, however, that the data breach is a “clear signal” that it needs to review its security guidelines and do more to secure its customer data.