Help! All data in mybook live gone and owner password unknown

There’s an Windows-Version, too.
What I saw was an ext3 or 4-Filesystem

Also checked to restore the partions. My util found three different versions and I wasn’t bold enoigh. Also none of them showed me my shares in the preview.

@Hazamel Yes I saw those types in some of the code. Hopefully Recuva will do better.

I tried mounting the disk with a USB adapter in Windows 10 (insider built) and it instantly Green screens. 100% reproducibility. I also tried using the same adapter in Linux and there seem to be no partitions.

What is the cause of all this? A bad firmware push? How does this happen? Shows the vulnerability of IoT devices.

The WD MBL log files indicate a script issued “FactoryReset” command to users all over the world.
I don’t use Cloud Storage so I don’t understand how this can happen?
What do you mean by Green screen? Nothing to recover?

Jun 23 15:51:35 MyBookLive : System ready
Jun 23 15:51:37 MyBookLive logger: WD NAS: Email alerts REST API failed to return Success
Jun 23 15:51:37 MyBookLive : Check if new firmware is available
Jun 23 15:51:38 MyBookLive logger: Starting orion services: miocrawlerd, mediacrawlerd, communicationmanagerd
Jun 23 15:53:24 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:53:24 MyBookLive shutdown[7899]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive logger: hostname=MyBookLive

1 Like

Just to say I got the same problem with my drive, here in Japan. Factory reset, everything gone. For now, I just disconnected the drive from the network and unplugged it.
I’ll be waiting patiently to see whether people can recover data from it. I’ll likely remove the drive and use something like Recuva if I see people having success.

2 Likes

I have just found I have the same issue. Everything is gone. Just 3 share folders. I’m in the US. This is BAD!

How do I file an official support complaint with WD and get a case number?

TL;DR - I tried Recuva, it got a lot of stuff, but a lot of things are corrupted, especially larger files (my drive mostly had movies and TV shows)

Longer version - I’m in the US/Tennessee, and I had the same problem. I noticed the normally-almost-full drive was empty when I got home from work last night (Wednesday around 6 PM CDT), so I took the drive out of its casing and plugged it into my late-2013 MacBook Pro using a SATA-to-USB. I’ve got Paragon’s extFS for Mac, so I could see the drive was ext3 and that it showed up as 3 mounted partitions, but the drive was completely empty, other than the generic setup file structure (which was actually slightly different than I’d ever see it–I’ve never before noticed a “TimeMachineBackup” or “SmartWare” folders on there, but maybe I deleted them years ago and forgot).

I then ejected the drive and connected it to my Windows desktop, and started running Recuva overnight. First it has to index everything, which takes several hours, then it shows you a list of what you can supposedly recover (although many of those could actually be corrupted). So when I woke up this morning I started the actual recovery, and when I got home from work it had finished. None of the file names were there, which is very annoying, and most of the movies and TV show episodes were either gone or corrupted and can’t actually be played. Smaller files like JPGs and PDFs seemed to be working, with occasional corruptions.

So from my experience Recuva is definitely worth a shot, especially if you had smaller files on your drive. Because I doubt Western Digital is going to offer to recover anyone’s data, even though I’m guessing with a problem this widespread it’s definitely their fault, one way or another.

1 Like

If anyone with this issue is in any of the following New York areas, please let me know:

  • Westchester
  • Chinatown
  • Midtown Manhattan

i’m a hobbyist security researcher who would really like to take a look at a drive that this happened to. If you’re not comfortable doing so taking the drive apart, I can take it apart and run PhotoRec and co. for you and try my best at recovering your files. We can meet in a park or similar public place, and we can remain there for the duration of our meeting. I won’t ask for any payment. I’ve taken apart several WD external drives and I have many leftover SATA to USB adapters from them. I know how to go about the data recovery process as safely as possible. (For those following along at home, this means to image your drive before running PhotoRec or similar on it. If you accidentally write to it, you could destroy your data! Use Macrium Reflect if on Windows, dd if on Mac or Linux)

Also: for those with damaged photos/videos, definitely take a look at Klennet Carver. This software works absolute magic.

1 Like

It hit me as well, nearly 2TB of data, all gone. Fortunately, it’s all backed up, but this is going to create a lot of extra work. Some details that may be helpful in some way:

My device was a MyBook Live Duo, and I did not have its internet cloud feature enabled as a security precaution, but obviously that was not good enough. My drive had a factory restore executed on June 23 at 03:44 EDT. I was able to log into the control panel of the drive without using a password, so no new password was assigned during the attack. I have it connected to a Linksys WRT1900AC router, which has a firewall as most routers do. I also have a WD Elements USB hard disk connected to my main workstation on the network (which was powered on during the attack), but that was not compromised.

None of my computers were compromised and all are running Windows 10, fully up to date on patches. So it seems even though I had the internet cloud feature disabled, evidently the device is still actually connected to the internet. This was something I did not know, but I learned my lesson there.

From what I’ve been reading, the current WD NAS drives require an always-on internet connection to actually function, which would definitely prevent me from purchasing one, if true.

To anybody thinking that WD might compensate users affected by this, dream on. No way. Unfortunately the MyBook Live is end-of-life, so I would be surprised if we get a new firmware. Even though mine has worked flawlessly for years, it looks like I might be forced to replace a perfectly good-working drive. I won’t be getting a WD product, however.

4 Likes

Also lost 2TB of files today. Luckily, I have recent backups, but I imagine situations where people could have both, primary storage and backup online simultaneously. Imagine a legal firm that has main case files on WD Live drives, and then another set of WD Live’s as a reserve copy, and today both are gone. This could be one of the biggest data losses in history, and let me assure you - the files are non-recoverable. Courtesy of the OS that WD Live uses and secure encryption. EXT3 system that you’ll find, if you scan the drive will give you a new structure. Nothing of the last file set is preserved.

In laymen terms - the files you lost today cannot be recovered with a patch. The key that identifies the way files were written is gone. There is nothing. I only lost a bit of work. I’ll manage. But I can see people wake up to find years or decades of their lives missing this morning. Knowing files cannot be recovered by any means, this will hit the company big time. They should be lawering up, and hoping thier lawyers didn’t put their case files onto WD Live.

First thing I did today was extract the wiped 2TB drive from the shell and scan EX3 partitions with recovery software. The way it appears to me, is that the linux system used uses a key that gets wiped in this type of reset. The data is essentially still on the drive, but can’t be identified for what it is, or decoded without a proper key that no longer exists. Doesn’t look good to me at all. Plus, I can’t wait on the fix. I’m firing up backups. Thankfully they’re not from Western Digital.

1 Like

So far everything is fine on my drive - powering it off until further information is provided.

I’m just wondering how many of those affected had automatic firmware updates enabled or remote access enabled?

Is it possible WD’s update servers were compromised and a malicious firmware update was posted and pushed to devices?

1 Like

I received a message from Western Digital requesting my systemlogs which I provided. They say they’re going to call me! Fingers crossed!
Get yours read - Instructions here How To Collect My Book Live or My Book Live Duo System Logs

2 Likes

I ran Easus data recovery. All types of modes. Was only able to see the source Linux EX3 partition. I can only see erased Linux files. All other type of media is gone. Posts above say it’s a reset without zeroing of the sectors, but what I see is a full proper wipe.

Tried Easus. It only found unencrypted Linux OS files in 2 partitions. No other files. I’m skeptical of other recovery methods working any better. The OS itself is kept on the drive. There’s intermittent writing that the drive itself does. If the table of contents is gone, the drive’s as good as gone.

This is unfortunate. Thankfully I read about the warning on security holes on my old My Book Live last year, opened it up and installed openwrt instead. I also got faster transfer with latest samba v3 up to 70MB/s. I recommend you try openwrt if you are to keep the MBL (after the data recovery of course). The ARM chip in MBL is not the fastest, but it is still sufficient for basic home storage.

optional tutorial: Beginners guide to installing OpenWrt on MyBookLive - Installing and Using OpenWrt - OpenWrt Forum

2 Likes

Feeling very fortunate I saw this appear across my newsfeed just now. Data seems intact so Immediately disconnected Ethernet from my router & power.

Will wait to see what WD suggest (MBL Duo)
https://www.theverge.com/2021/6/24/22549677/wd-my-book-live-data-deletion-unplug-lan-cable-threat-actor

Hellou. I have same problem. All data erased. Im from Slovakia. I trying recover data over ZAR 9.1 and other programs. I tried Easeus Data Recovery but it doesn’t have file names just numbers and extensions. Anyone have a better solution? Thanks

I got scared and disconnected my drive before I actually verified if any data was lost … I took a quick peek and saw what looked like all of my folders present but I didn’t look for actual files. Now that it’s disconnected, is there any “safe” way that I can reconnect it to verify if I still have my data?

1 Like