>>From what I can tell the victims weren't storing their data in a WD cloud. But it seems likely their devices were remotely accessible through WD. It looks like a 3rd-party mediated service similar to LogMeIn, GoToMyPC etc. The data are on their devices but remote communications to them are through WD.
>
>That is about the picture I get from various other sources. In the cacophonic outrage raised by the articles, a few pointed out that with disabled comm to WD, the device was either hard to use or needed feutures were lost. No way to decide if those were PEBKAC issues or the others had lower level of wishes.
>
>>Your point about not being able to evaluate the risks is well taken. It's a classic example of convenience vs security. It would be interesting to find out if remote access on those devices was enabled by default.
>
>From what I read, it was, including factory set identical pwd - which is not totally wrong if you read the markting blurb offered with it. If you bought device for the optiom to access data from anywhere, not only from inside your LAN, it makes sense. If the idea that it was a cheap NAS was not enough to sell, supporting the idea such internet access is as secure as LAN restricted NAS is IMO the "stooopid" part. This should not be seen as part of your normal data and backup routine, but as an area or device were copies are made available.

WD is now claiming victims' devices were directly accessible from the public internet: https://www.westerndigital.com/support/productsecurity/wdc-21008-recommended-security-measures-wd-mybooklive-wd-mybookliveduo . Either:

- Through direct connection i.e. no firewall or NAT translation (either extreme user ignorance or user should have known better)
- Through manual port forwarding in a firewall (user should have known better)
- Through automatic port forwarding via UPnP. From a security PoV UPnP is basically evil but unsophisticated users are unlikely to know that and in the 2015 timeframe it was still considered "OK" in some circumstances e.g. gaming. If the user knew about UPnP but allowed it anyways, they should have known better. I'd like to think WD did not try to use UPnP to configure users' routers by default (especially if they have a cloud-mediated alternative) but they do mention it in the link above and UPnP is initiated by the client device (i.e. MyBook), not the router (although the router must have it available and enabled)