Western Digital, maker of the popular My Disk external hard drives, is recommending customers unplug My Disk Live devices from the Internet until further notice while company engineers investigate unexplained compromises that have completely wiped data from devices around the world.
The mass incidents of disk wiping came to light in this thread on Western Digital’s support forum. So far, there are no reports of deleted data later being restored.
All my data is gone
“I have a WD mybook live connected to my home LAN and worked fine for years,” the person starting the thread wrote. “I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity.”
Other My Book Live users quickly joined the conversation to report they, too, had experienced precisely the same thing. “All my data is gone too,” one user soon responded. “I am totally screwed without that data… years of it.”
Multiple users reported that the data loss coincided with a factory reset that was performed on their devices. One person posted a log that showed unexplained behavior occurring on Wednesday:
Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive _: pkg: wd-nas
Jun 23 16:02:30 MyBookLive _: pkg: networking-general
Jun 23 16:02:30 MyBookLive _: pkg: apache-php-webdav
Jun 23 16:02:31 MyBookLive _: pkg: date-time
Jun 23 16:02:31 MyBookLive _: pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive
Jun 23 16:02:32 MyBookLive _: pkg: admin-rest-api
“I believe this is the culprit of why this happens,” the person wrote. “No one was even home to use this drive at this time.”
The My Book is a popular storage device for consumers and businesses. It plugs into computers, typically through USB, but it can also be accessed remotely so users can access data or make configuration changes. The affected model, known as My Book Live, uses Western Digital cloud infrastructure to provide remote access. Western Digital discontinued the My Book Live in 2015. The support forum thread was first reported by Bleeping Computer.
On its website, Western Digital advised customers to disconnect their My Book Live devices to prevent further attacks while the company investigates the mass wiping.
In an email, Western Digital officials wrote:
The incident is under active investigation from Western Digital. We do not have any indications of a breach or compromise of Western Digital cloud services or systems.
We have determined that some My Book Live devices have been compromised by a threat actor. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015.
At this time, we are recommending that customers disconnect their My Book Live devices from the Internet to protect their data on the device.
We have issued the following statement to our customers and will provide updates to this thread when they are available: https://community.wd.com/t/action-required-on-my-book-live-and-my-book-live-duo/268147
The limited amount of information available at the moment makes it hard to determine what’s causing this mass data destruction. Western Digital’s advice to unplug devices while the investigation continues is warranted, and users should follow it as soon as possible.
In the meantime, My Book Live users are trying to manage the hardship brought on by the incident.
“It is very scary and devastating that someone can do factory restore on my drive without any permission granted from the end user,” one user wrote. “I need a remedy to this issue immediately as this is already incurring a great cost to me.”
Post updated to emphasize that only My Book Live devices are reported to be affected.