Help! All data in mybook live gone and owner password unknown

Hi, I said UPnP was ON

You should probably edit your post then. It’s still says OFF very clearly.

Yes I know I am in IT also. I also know many otherwise very intelligent folks lack even the slightest knowledge of IT. My neighbor and her husband (both Ph Ds) just went hysterical when their son’s iPad would not longer connect to Minecraft. All they had to do was read the error message that clearly stated an IOS upgrade was required to connect. To them this was big deal , asking if their device was hacked. They are both otherwise very well respected doctors.

You are right, but my MBL is expendable with transmission and everything on it :slight_smile:

sorry that was not my post, I replied to the wrong post of yours :slight_smile:

1 Like

Don’t think of it as just an attack on your MBL, it’s just a stopping off point to the inside of your home network. It’s unclear yet, but it seems like these MBL devices might have been zombied by malware for months without anyone knowing.

True that! I was researching earlier and found couple options:

  1. open the box and reimage the whole thing with openwrt or debian - not worth the trouble since I have other nas already
  2. reimage the os in place by disabling raid on sda1 and write a clean debian os on it before making it default boot partition - also seems like too much trouble and if something goes wrong I still have to open the box …
    will probably just let it run until it dies, it was used as a 3rd copy backup of my home PCs
1 Like

I wouldn’t go that far. A Synology NAS set up properly is vastly more hardened than these old WD devices that are compromised. I use Synology’s robust 2FA phone app that works similar to enterprise level 2FA schemes I utilize. I’m of course not saying Synology is impregnable nor a substitute for enterprise, but it’s on a much higher level than these WD devices and, in my opinion, better than Qnap as well to some extent. Synology costs significantly more, but it’s well worth it for the added security, reliability and functionality.

Thank you for your answer. Do you have an idea why some users have reported that they have UPnP disabled and still be attacked?

Advisory Summary

At this time, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet to protect your data on the device by following these instructions on our Knowledge Base.

The Knowledge Base link then says:

My Book Live can be accessed when the device is powered on and connected to a computer using the Ethernet cable for direct access.

So let’s be clear. We cannot even put these things on a local network without them getting hacked? What if we block WAN access on the router like this?


Are the devices still going to get hacked?


Depending upon their routers, after UPnP was disabled on the WD device, the router still kept the ports open afterwards. I suspect they needed to not only disable UPnP in the WD device settings, but also turn off UPnP on their router to clear out the previously forwarded ports.

I’ve tested this by turning on UPnP on the WD device, then turning it back off again to find the ports remained open on the router until they were either manually cleared or UPnP was disabled on the router.

I also wonder how many people manually forwarded ports on their routers when they initially set up their WD devices then forgot about it?

As far as the UPnP thing goes, we may never know for sure because their device settings were wiped after they got hacked and people are basing their comments on memory unless they saved their config files. Memories are unreliable to say the least.

1 Like

I just received this email from Western Digital. I’m sure all registered users will get it too:

Our records indicate that you registered a My Book Live or My Book Live Duo device. To protect your data on the device from ongoing attacks, we recommend you disconnect your My Book Live and My Book Live Duo from the Internet and access your data locally by following these instructions on our Knowledge Base.

Western Digital has determined that some My Book Live and My Book Live Duo devices are being compromised through exploitation of a remote command execution vulnerability. In some cases, the attackers have triggered a factory reset that appears to erase all data on the device.

Our investigation of this incident has not uncovered any evidence that Western Digital cloud services, firmware update servers, or customer credentials were compromised. As the My Book Live devices can be directly exposed to the internet through port forwarding, the attackers may be able to discover vulnerable devices through port scanning.

We understand your data is very important. Some customers have reported that data recovery tools may be able to recover data from affected devices, and we are currently investigating the effectiveness of these tools.

We are continuing our investigation and will post the latest information about this incident on our Product Security Portal. For further assistance, you can contact our Customer Support team


So, my question still stands from here:

What if we turn off UPnP and block WAN access to the WD devices on the router like this?


This custom service blocking rule applied to my MBL combined with UPnP being completely disabled from my network with no forwarded ports should keep port scanning at bay, should it not? Not only that the router has NAT enabled along with a firewall set to ‘medium’ for whatever that’s worth.

I really wish @WD_Admin would address this ASAP.

So I got affected too… can’t access my device and data.
What do I do now? Should I wait or can I recover my data back with software? Is it worth the risk?

The thread has people sharing varying degrees of success in recovering files. I would read through it.

1 Like

See my post from a few minutes ago. I had put in a ticket with WD two days ago.

See my post from a few minutes ago. I had put in a ticket with WD two days ago.

So according to WD, there’s no easy way to just block the MBL from the internet while remaining on our LAN? The solution in that link essentially means we just turn our MBL into a USB drive.

1 Like

SKYSCAPE, I’m a Network Engineer and this is way out of my league. As much as my data means to me, I’m going with the “sit and wait” rule to see what WD comes up with. I have not tried to do anything with my drive since it was reformatted to factory default. I even offered WD support that I would send them my drive to diagnose if it helped them help all the other user involved. I’m sure that WD is going to go with “It wasn’t our fault” scenario, but I’m going to give them the benefit of the doubt for now…


I mean it will be almost as easy to use, and not nearly as vulnerable to attack. I’m not sure if that came through what I said or not.

1 Like

Did you just say you’re a network engineer and blocking a device outbound is “way out of your league”? Please clarify…

Also WD isn’t coming in with their knight in shining armor to recover anybodies data. They have already made their statement, I bet their reply comes back in email with “We offer you 10% off on a new MyBook Ultra (new model) if you purchase through us within the next 24h”.

1 Like