Help! All data in mybook live gone and owner password unknown

Doesn’t matter. If the device is programmed to “reach out” to WD for instructions. This is a VERY common method of configuring “Cloud” devices so if you don’t have it blocked in and out you’re still vulnerable to this kind of problem.

Very few (if any?) consumer firewalls stop outbound access to the internet by default. Many consumer routers don’t even have an advanced firewall capable of that kind of traffic management either.

It happens like this.

  1. WD Device boots and reaches out to a URL (like https://cnc.wd.com?devid=123456679)
  2. Website returns a response with either “nothing” or a script/command for the device to perform.
  3. WD Device determines what the return was and either executes the script, notifies the user of an update, etc.

In this case the response from the site could very well have been “Do a factory reset and wipe all data”. Nobody knows at this point, so unplugging it entirely is the safest bet.

This is good point but consumer firewalls should prevent outside world for inititating connection to your device. When the device inside initiates connection as you mention thats another story. I dont think anything else short of unplugging the device from the network would be 100% protection.

This has happened to me also :frowning: Was working this morning.
Everything gone from public except for Shared Music, Pictures, Videos, Software Folder (all empty) and a .tickel file modified 24/06/2021 20:26

FYI got into the settings after reseting with a blank password, nothing typed in, just clicked login.

Another one here :cry:

Seeing the same thing here. Got blanked, new folder creation timestamp is June 23, 5:34 PM Central Time. Unlikely to be the Windows 10 issue someone above linked, as no Win10 system has ever connected to this drive, just a Win7 and Mac machine.

Should consider myself “lucky” that remote access of my MBL has been Disabled some time already due to modem settings and unable to connect to internet. I still have access to my data on the device through local network and Win10 computer.
I did not look to remedy this because of an bad experience with an new WD dualbay NAS last december. Within 24h this device got hijacked and if i would pay some bitcoin to get my data restored.
Did not pay, most of my pictures will stiil on the camera’s/phone so i could recover the important stuff. returned the device to supplier. Learned an lesson not to connect an NAS and stept “back” to old style external backup drive for save keep. The old MBL as an local convenient mirror of this to quickly acces files.
Sorry to say but from now i keep away from NAS devices and WD products.

NAS devices are perfectly fine in general, just stay away from any “Cloud connected” service and use reasonable safety precautions like blocking outbound access and not leaving a drive mapped on your PC.
Mapped drives are common attack vectors from PC’s to NAS devices, so keep that in mind.

Unfortunately we’re at a point in history where the average home user needs to at least have someone available to them who knows a decent amount of networking, and the average home router should have some method to block outbound access on a per-device basis. If yours does not, replace it with one that does.

2 Likes

Just found this article.

Doesn’t look good if I’m honest.

1 Like

Spoke to WD and they’ve confirmed a support ticket and receipt of my system logs.
They said that they would be in contact with me. Sent Ticket Number and requested LogFile.
This can be generated by instructions online.
The tell tale is that a known password will not allow access. I had to use a paper clip as well.
Then was able to access the Drive Tools.
It seems these drives run linux I had asked some linux sites for help as well.
First I wanted to Clone the drive so it does not get overwritten.
Everyone should disconnect their drive till a solution is found.
The files could still be recoverable, but if the drive is written to it will be bad.
Thanks, Jeff

I’ve been affected by this too :frowning:

Wow… This almost makes Qnap looking competent :sweat_smile:
If the factoryRestore.sh does a ■■■■■■ job at cleaning the disks you may be able to recover your data by running a data-recovery program on your drives. I have no intel on how well it actually works of if the disks were encrypted in the first place.

If the data that got deleted was important do not attempt this yourself, ask a professional.
Do not use your nas, do not write anything on your drives.
Don’t wait for a reply by WD, they can’t help you to recover your data.

Next time go for Synology, it costs a bit more but it’s WAY more reliable than the competitors

2 Likes

Same issue here in the Netherlands

Added this to the Reddit thread I made earlier.

Western Digital support still asking questions as of a few hours ago, but it’s not looking good right now.

Seeking professional help at this point

That article has absolutely nothing to do with this :confused:

So in terms of help, WD cant do anything really unless they provide us some software to recover the data right?

What recourse do we have against them? Surely they cant just press the factory reset on all our devices and be like “oops finger slipped our bad”?

You have no recourse (other than vote with your wallet) since in the EULA for their device I guarantee there’s a “we’re not liable for data lost or destroyed by (insert huge list of things here)” clause.

I’ve been here before, you only have each other now.

EDIT1
If someone could gain access to the SSH file system or deconstruct the firmware and figure out what the factory reset shell script does that would go a long ways towards figuring out if recovery is even possible.

EDIT2
I found the firmware I’ll download it and find the scripts and what they do.

1 Like

Please refer to the following thread for more information regarding this issue:

Same here, found this in the logs:
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 PARAMETER System_factory_restore POST : erase = none
rest_api.log.1:Jun 23 15:46:11 MyBookLiveDuo REST_API[9529]: 94.102.49.104 OUTPUT System_factory_restore POST SUCCESS
I dont recognize this IP. Seems to be a Dutch IP (I’m in the Netherlands)

2 Likes

Thanks for doing that.
Yes, right now it is critical to find out what the factoryRestore.sh has done is “quick” or “full” factory reset.
Hoping it is the “quick” one then our data should be rescued much easier by data recovery services.

Thanks so much for your assistance @ t4thfavor.