This is like the worse case scenario that security researchers have been warning about. Someone exploited an old vulnerability for some WD devices and wiped out all the data in those devices that are exposed in the internet.
WD advises customers to immediately unplug their My Book Live and My Book Live Duo from the internet.
“I have a WD mybook live connected to my home LAN and worked fine for years,” the person who started the thread wrote. “I have just found that somehow all the data on it is gone today, while the directories seem there but empty. Previously the 2T volume was almost full but now it shows full capacity.”
It’s too easy to blame IoT device manufacturers, but this is a very tough problem. The following comment from HN says it best.
There’s really no winning with this.
You can release patches 6 years after your device is EoL but there will forever be more security issues and people using your ancient product (think how long it takes some versions of Windows to truly reach less than 100k active machines. Hell I wonder if Windows 3.1 has really reached that number or not. The long tail is going to be loooong). Not to mention you’ve created a precedent that the device is still getting patches and can be used by users, only making the lifecycle issue worse.
You can release a version which severely limits the capability of the product or effectively disables it but this is just a guaranteed way of getting bad press and even more customers will be mad at you for killing a device early.
You can turn the device over to the community (if you can managed to get it through legal and 3rd party agreements) but that isn’t actually going to solve anything as it’s not a product for extremely tech savvy users, at best it buys deflection in the news report in exchange for the effort of doing this (if you can at all).
You can claim the lifecycle is over and years later and be technically correct but still get the bad press and user feedback anyways.
Source: “I’m totally screwed.” WD My Book Live users wake up to find their data deleted