Western Digital, maker of the popular My Disk external hard drives, is recommending that customers unplug My Book Live storage devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.
The mass incidents of disk wiping came to light in this thread on Western Digital’s support forum. So far, there are no reports of deleted data later being restored.
“I have a WD mybook live connected to my home LAN and worked fine for years,” the person who started the thread wrote. “I have just found that somehow all the data on it is gone today, while the directories seem there but empty. Previously the 2T volume was almost full but now it shows full capacity.”
Other My Book Live users quickly joined the conversation to report that they, too, had experienced precisely the same thing. “All my data is gone too,” one user soon responded. “I am totally screwed without that data... years of it.”
Multiple users reported that the data loss coincided with a factory reset that was performed on their devices. One person posted a log that showed unexplained behavior occurring on Wednesday:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:Jun 23 15:14:05 MyBookLive shutdown: shutting down for system rebootJun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: startJun 23 16:02:29 MyBookLive _: pkg: wd-nasJun 23 16:02:30 MyBookLive _: pkg: networking-generalJun 23 16:02:30 MyBookLive _: pkg: apache-php-webdavJun 23 16:02:31 MyBookLive _: pkg: date-timeJun 23 16:02:31 MyBookLive _: pkg: alertsJun 23 16:02:31 MyBookLive logger: hostname=MyBookLiveJun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
“I believe this is the culprit of why this happens,” the person wrote. “No one was even home to use this drive at this time.”
The My Book is a popular storage device for consumers and businesses. It plugs into computers, typically through USB. The affected model, known as My Book Live, uses an Ethernet cable to connect to a local network. From there, users can remotely access their files and make configuration changes through Western Digital cloud infrastructure. Western Digital stopped supporting the My Book Live in 2015. The support forum thread was first reported by Bleeping Computer.
On its website, Western Digital advised customers to disconnect their My Book Live devices to prevent further attacks while the company investigates the mass wiping.
In an email, Western Digital officials wrote:
The incident is under active investigation from Western Digital. We do not have any indications of a breach or compromise of Western Digital cloud services or systems.
We have determined that some My Book Live devices have been compromised by a threat actor. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015.
At this time, we are recommending that customers disconnect their My Book Live devices from the Internet to protect their data on the device.
We have issued the following statement to our customers and will provide updates to this thread when they are available: https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/268147
The limited information available at the moment makes it hard to determine what is causing this mass data destruction. Western Digital’s statement seems to be saying that customer accounts were individually compromised. The advice to unplug devices while the investigation continues is warranted, and users should follow it as soon as possible.
In the meantime, My Book Live users are trying to manage the hardship brought on by the incident.
“It is very scary and devastating that someone can do factory restore on my drive without any permission granted from the end user,” one user wrote. “I need a remedy to this issue immediately as this is already incurring a great cost to me.”
Post updated to emphasize that only My Book Live devices are reported to be affected.