Help! All data in mybook live gone and owner password unknown

I hope that you are right. and that there is a quick fix for it

I did not have automatic firmware updates enabled and also did not have remote (internet) access enabled either, and yet the drive was still connected to the internet. I thought I had taken adequate precautions to prevent the possibility of such a threat but it looks like the only way to keep the NAS off the internet is to block it within the router or firewall.

I wonder if WD scans the NAS drives of users the same way that Facebook and Microsoft skim data for so-called ‘product improvement’ purposes. I need to read the EULA to see.

I’m also very curious as to how this event occurred worldwide within only a few hours. I’m wondering if the source was WD’s servers being compromised, then pushing the script out to all connected drives.

What annoys me here is that the MyBook products were still in the retail chain when that product line was discontinued in 2014, and yet the final firmware WD released was in 2015. I would have expected at least security firmware updates for few years longer.

NAS drives are not like GPUs or CPUs, in that they’re not normally replaced every few years, and the product support should reflect that. I wouldn’t expect WD to support the product indefinitely, however they were aware of the vulnerability and didn’t move to protect their customers. Well that also makes me wonder if their current products have similar vulnerabilities, so I will have to remove this drive from my network now, but I’m definitely not replacing it with another WD product. If this situation is representative of how WD approaches critical security threats, then I’ve lost faith in them and their products.

My company has used many different WD drives over the course of the last 20 years. Things change I guess and so will my future considerations regarding WD.

2 Likes

My company also keeps virtually all long term archives on WD drives. Even though they’re non-Live version, they’re now afraid to access archives, on the off chance that something else is compromised. Some people who had the time to react and unplug - what reassurance can they have that this type of thing won’t happen again? Who would buy another WD Live drive after this? Also, as it turns out, it is not possible to deactivate Live account, without writing to technical support. Meaning, that if their repository contained any log data, IP information etc, then you can’t even erase yourself from their servers without explicit permission. I’ve lost 2TB today of non-essential and easily recoverable material, but I guarantee, majority is not that fortunate. I know many families who keep their photo albums on their devices, family videos, important documents. Luckiest are those who didn’t trust them anything more than their music collections, but I know, even that can be devastating. I’m surprised this isn’t headline news everywhere. I hear in corporate communications that many businesses are affected. This is not ransomware, but in a sense, is even worse. And it targets everyone indiscriminately. I haven’t seen an attack of such scale since CIH in 1999.

1 Like

Hello!

I just created an account on this form to tell you what I’m currently trying, if anyone might want to try this as well. I had my WD MBL seemingly wiped today as well, but I saw someone mention that the partition table was just changed, not all the data. I am attempting to use a tool called DiskInternals Linux Recovery on windows to see if it can redetect any files. I’m not entirely sure if it can work because (from what I remember from OS class) the Linux filesystem keeps a record of files in multiple blocks, including location and size, and it might be that the records would have to be reconstructed for any of the data to make sense. However, Linux also uses multiple records in different blocks on the filesystem, so it’s possible only the root record got erased. Here’s the software if you want to try it: https://www.diskinternals.com/linux-recovery/. To get the MBL onto my computer I disassembled my WD MBL and connected the disk to my Windows PC with an external disk reader (I actually upgraded the original disk to a WD blue). A note on the software, it might be a trial version, so it might limit or prevent retrieving the files if you don’t pay (but it should be able to show which files it sees for free). If I see anything important on my disk I might actually buy the software to get the data back (usually data recovery software isn’t free anyways but if you know of any then I’d like to know)

2 Likes

Had no luck with Software like Disk Genius or recuva.

I’m down to testdisk/photorec. I’m hopeful that I’ll get my dearly missed files and not just the ■■■■ I didn’t miss. But it works. Very low level but it works

Did they email you directly, did it look like this?

My emails have been removed

I am pretty sure this is spam relating to the incident? Look at the email address, and the link doesnt appear to go to a valid WD site.

Is this real or part of the compromise?

I have a WD My Cloud, also pretty old. Should I be worried that it might share the same vulnerability? I’ve disconnected the device for now just to be sure.

1 Like

@MikeLanglois my e-mails from WD support have been coming from westerndigital@custhelp.com

Edit: ah, having said that, when I first created a support account I got a confirmation e-mail from wd_en_feedback@mailva.rnmk.com

I don’t think I actually clicked on any of the links in that mail though; I just logged on via the website.

Apparently it was real and a support ticket was made for me. They called me “valued customer” in my support profile thats why it says Dear Valued. I would recommend everyone if they do get an email, to not click the links and go to the support page in their browser though just in case.

The suppprt ticket basically asks for my logs, serial number of device and telling me to unplug the device (around 24 hours after it wiped my data so a bit late)

I will be instigating something. once I’ve picked myself up, focused on any potential recovery, the next thing I will be doing is seeking compensation for all the puking I’ve done in the last 24 hours, make no mistake about it I will certainly be seeking some legal action.

My mybooklive is also wiped :disappointed: lucky I think I’ve backups of most of my stuff, really feeling for those who have lost their data.

Are there any thoughts about longer term options for making use of the MBL (assuming WB won’t update the firmware). Would installing openwrt prevent a reoccurrence of this issue?

Just spoke to customer services. Absolutely nothing more to add other than ‘our engineering teams are actively investigating this issue’.

I would disconnect and backup up Ur data before connecting it all back up again.

Keep us all posted please.

Is this problem also related to other NAS in WD’s product line? I have just ordered a WD My Cloud EX2…

Right now I wouldn’t trust any WD NAS until there is verification that it is safe.

1 Like

One thing I need to find out is if these drives send telemetry to WD in the background. I’m betting that they do. If that’s the case then I would look very sharply at the idea that this could have originated from compromised WD servers.

I’m just struggling to figure out how all these specific drives were being injected with SSL scripts worldwide and it all happening very rapidly, within a space of a few hours. That leads me to suspect that whatever the source was of this attack, it must have already had existing access to these drives since the IP addresses were needed to execute that script.

I find it very concerning to read that some users are reporting that they were hit by this while they had remote features disabled. Although I have a different device, I’m keeping it fully disconnected until we know more

Yep same here. In Australia. Happened exactly at 7.10am on Thursday morning Western Australia Time. I was actually watching it go from blue to yellow led. Was odd so logged in and found it reset.

No idea why but too to a mates and all that he had was rphoto. All the data is there but no file or folder names so that was hard to use given there’s 1000`s of files

Have taken to a pro who’s looking at it now with R studio and he said he’s found superblocks…

Then I saw this just now I’m not the only one! I thought it was me.

I did see logs on my virus firewall showing an increase in attacks in the last few days on that device but didn’t do anything. Was going to disconnect remote access but then this happened before I got the chance.

Pissed but my bad with only backups of partial docs and photos items but lost all my iTunes library and video library.

Feel stupid but definitely expect more from WD.

Is it even worth opening a support ticket? the unit is 9 years old

2 Likes

■■■■: EX2Ultra - and also all data gone!