Help! All data in mybook live gone and owner password unknown

Okay, my device never got hit by this but I shut it down. See my previous post on that here:

I got tired of waiting on WD to give out any detailed advice and blocked all WAN incoming ports to it on my ISP’s router/modem or at least I hope I did. I’m, of course, going to leave the router’s NAT firewall engaged along with the router’s built-in firewall set to ‘medium’ as I had before.

UPnP was already previously off on both the WD MyBook Live and the router, also remote access was already previously off. Maybe that’s why I didn’t get hit. I’m going to resume backup on it tonight and just leave it on and see what happens. It’s not my only backup so if I get hosed it’s not the end of the world, but I won’t like it as it’ll be a big time-waster.

I’ll be a guinea pig and see if I get compromised and will report back if I do.

I’m very sorry to all those that lost their data and hope you can salvage what you can. I know how it feels because I’ve gone through it myself many, many years ago and even went through depression because of some of the assorted losses (some my fault, some not).

Please make it a learning experience but do not beat yourself up for it nor allow the online peanut gallery to make you feel worse. A lot of people that are trashing others online probably won’t admit that they’ve also lost at least some data in the past as well before they learned to keep duplicates of everything, To err is human.

As I was editing this, an automatic backup was in progress and seem to be working fine so far. Fingers crossed.


If you press the reset button while the MBL is active for 4 secs the password gets reset without clearing any data.

Awesome, thx, how is the data recovery going?

Like everybody else, I lost all of my 2 TB data. Now my drive shows only 3 GB used. Hope WD finds a solution to recover the data. I have not tried but was anyone successful in pulling the drive out of the casing and run disk recovery?
Blaming it on a malware is an easy cop out when they knew the exploit existed for years.

You are really amusing guys at WD. First you leave all your user behind with crappy default settings and unpatched security issues, and now you talk about how ‚serious you take the data of your customers‘.

Be clear is the best you can do:

  • WD ignored obviously all warnings from security engineers
  • There will never be a fix
  • Your data has gone, don’t touch your drive send it to a recovery lab, if important data was on it.
  • Pay the price for not renewing unsupported hardware and not having backups
  • Choose the device(es) for your data wisely next time

As another person said earlier: The problem is well known and documented since years and WD plays surprised like a bad actor.


People here say how much important data they lost. I say, the data is as important to many as currency, so they should protect it equally. I’ve had countless friends lose data, not because of hacks, but because they did not keep backups, or thought that an external drive was “it”. I’ve seen tears over mechanical failures, and decades of memories lost, and I could do nothing, but shrug my shoulders. If information is important, take good care of it. Multiple backups. Offline cold storage. If something goes to the cloud, make sure every single bit is encrypted with best available methods. Do not rely on corporate reassurances. Their job is to sell you stuff, or to sell you out, when it fits the bottom line.

I hope this serves as a wakeup call for those putting too much trust into Internet Of Things. It was never safe and never will be. Assume that this can happen to anything. Today it’s an external HD, tomorrow it’ll be your own operating system. Hackers aren’t going away any time soon, and neither do incompetent firmware programmers.


I have exactly same issue with my 2T my book live yesterday.
I am not able log in and years of data saved on this drive completely gone.
Please help !!!

Just noticed this, unable to log in, kept saying password was wrong, tried to reset the password but I don’t receive the reset email, I have disconnected the drive, just hoping nothing is lost, and a fix will be found soon

I switched to a USB drive because the network drive was too slow. However, diskinternals has a preview for some filetypes, and it’s pretty impressive what it found- there’s quite a few files I backed up from 5+ years ago that are just fine, with the exception of the name.

I am in the same situation as well my data got lost. i had it setup up a raid configuration and when i checked the ui it was set back to factory default of set to 6tb drive instead of 3 tb in a raid config. now i have lost the last 15yrs of photos of kids growing up weddings etc. and very frustrated. if any one has a solution of hear what WD is willing to do to help out etc. loop me in the conversation.

Found it. It’s called /CacheVolume hat my side. Give it a try today

Just checked UPnP had been enabled on my router - it is now DISABLED :face_with_head_bandage:


andyman, did the other Volume 2 overnight before I saw your posts, many thanks for the update much appreciated. I am now scanning, using DiskInternals Data Recovery programme, the /DataVolume “drive” and will provide an update when it is done. Could be a while as it was about 2hrs for 2Gb, this is going to be 1,000+Gb !!! Just as well I am visiting my family today and not sat waiting for it to move off 0% !!!

Same here hit at 00.33am 24th June, just the 4 default folders remain and .tickle file. All files gone, hope there is a solution to retrieve them!

1 Like

Ive just found out im another victim in the UK. Just disconnected my drive from my router and connected it directly to my computer. Done a reset on the back and now seeing if i can get back into it somehow. What software recovery programs are people using by any chance if i haver to go down that route???

Snap! just switched on to 15 years of files gone…

Currently trying to open mine so i can get it connected directly to my PC see if anything can be recovered

Disabling remote access and automatic updates didn’t prevent my drive from being attacked, so it won’t help.


So far all of the IP addresses posted from potential sources of the attack are from (surprise, surprise) China and Russia. I’m just so surprised.


I would like to check if there is a global IP address scan or similar going on where attackers are trying to access the REST API on random IP addresses. Therefore I would like to check my server (which has nothing to do with WD if the REST API call is in the Apache2 access log).

But I am not sure if this is going to work since attackers probably exploit UPnP. Can somebody please explain to me how UPnP works in this case? How can attckers access HTTP behind the NAT? How can they identify the MyBook ? What happens when there are two MyBooks behind the NAT, how can the attackers tell the UPnP router which one to access?

1 Like