Honestly, I'm convinced this whole thing is a hoax. Wyze handling this under the assumption this was a real thing is a breath of fresh air, as they definitely seem to care a lot about this and shown that they are taking the accusation very seriously.
...but the source for this accusation, 12security, they look like a joke. The further you dig into "12security" the more sketchy it gets.
The website domain name was purchased earlier this year from Google Domains (whois.net shows it was created 2019-08-19T22:06:20Z), but the only 3 "articles" on it are all from December of this year, and the other two from before this Wyze one are just ranty, and aren't anything to help 12security's credibility.
Before today there isn't a single listing for this website in the internet archives, the only archives for this website are ones I generated today while researching the site.
The website is powered by Ghost, (
Ghost: The #1 open source headless Node.js CMS) which isn't really an issue, lots of professional websites use Ghost, but it's not even been fully set up. The website has a lot of the default stuff still. There is no favicon for the site, the username for the blogposts is the default "ghost", the footer is still linked to the Ghost platform's social page and not their own, and the admin login url hasn't been changed like you'd expect a security expert to do to
Ghost Admin which redirects to
Ghost Admin.
The only social page that their footer points to that is their own is their twitter,
Twelve Security (@SecurityTwelve) | Twitter which again, does not look like a real security researcher's twitter, and instead looks like a generic anti-china conspiracy account.
The website has a dedicated page for pricing of security consultation, and it's made in the most asshole way possible. "Twelve Security offers the following services. Prices are purposely posted here to intentionally antagonize any vendors/consultants who do not:" which is to me suspicious because it's the very same thing that people are pushing Wyze to pay for.
Their phone number listed, 210-929-6268, is a google voice / google fi phone number that has been put on do not disturb mode. Or at the very least, they're using the EXACT same recorded messages that Google voice / google fi uses. And
Free Carrier Lookup - Find the carrier information for phone numbers - worldwide. verifies that both my google fi number, and their number show up as a T-Mobile number.
Their website advertises their "services" but does it in a very unorthodox and aggressive way,
Services
Their domain is a Google Domains domain, that was only registered this year.
And the "article" that started this all, just read it for yourself. It doesn't follow the industry standard of first reporting the breach to the company to give them a chance to close the breach before making the public aware of it, that is done to protect users from the hackers who would go after Wyze's servers because of the alleged breach.
Wyze originated as a camera company in 2017, establishing headquarters in Seattle, Washington. Their website clearly states - under no uncertain terms - that the company holds intrinsic ties to Amazon, and will conduct business almost exclusively through them. Recently, Wyze was breached...
web.archive.org
And that's just what I've been able to stumble across so far.
Dov Chodoff (in the FB Wyze group) also pointed out that their address listed on their site doesn't appear to be a real address
Google Maps
blog.12security.com
