Unplug your WD My Book Live drive NOW, or you may find your data erased

You may have heard through the grapevine several days ago, or you may be a part of Reddit, or even the Western Digital (WD) community that owners of certain Western Digital My Book Live external hard drives were hit with a remote exploit that caused certain WD product hard drives to be wiped.

That’s right, you read that correctly! Hackers have managed to bypass an authentication control, or, lack there of and completely erase the contents of the data housed on the hard drive. The attack caused thousands of devices in the United States (US), and Canada (CA) to lose data, instantly. Alternatively, you yourself, may be the unlucky owner of one of these devices and still are mourning the loss of your data.

My Book Live and Live Duo device owners on Thursday (6/24/21) began flooding Western Digital’s support forums with reports that all of their files had been mysteriously deleted and that they could no longer access the device via the official app or a browser.

One user wrote:

“I have a WD My Book live connected to my home LAN that’s worked fine for years,” wrote the first poster in a now-incredibly long thread. “I have just found that somehow all the data on it is gone today, while the directories seems there but empty. Previously the 2T volume was almost full but now it shows full capacity.”

A message from Western Digital:

“Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.”

Following other reports, a pattern has emerged in shared device logs that points to a remote command initiating a factory reset on affected devices beginning at around 3:00 p.m. on Thursday and continuing throughout the night.

Here is one of the logs reported from user sunpeak on WD forums:

Jun 23 15:14:05 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:14:05 MyBookLive shutdown[24582]: shutting down for system reboot
Jun 23 16:02:26 MyBookLive S15mountDataVolume.sh: begin script: start
Jun 23 16:02:29 MyBookLive : pkg: wd-nas Jun 23 16:02:30 MyBookLive : pkg: networking-general
Jun 23 16:02:30 MyBookLive : pkg: apache-php-webdav Jun 23 16:02:31 MyBookLive : pkg: date-time
Jun 23 16:02:31 MyBookLive : pkg: alerts
Jun 23 16:02:31 MyBookLive logger: hostname=MyBookLive Jun 23 16:02:32 MyBookLive : pkg: admin-rest-api

Another user log reported by Marknj1:

Jun 23 15:30:48 MyBookLive factoryRestore.sh: begin script:
Jun 23 15:30:48 MyBookLive shutdown[32260]: shutting down for system reboot
Jun 23 15:30:56 MyBookLive CommMgr: DaemonControl::disableRemoteAccess – remote access is disabled.
Jun 23 15:31:02 MyBookLive kernel: nfsd: last server has exited, flushing export cache

CyanLine can help here. As part of our Twitter outreach, we made a post that offers the first 5 users of a Western Digital device that was erased, FREE data recovery services as we are studying new recovery techniques. CyanLine has successfully recovered hundreds (maybe even thousands at this point) since we were formed as a company in 2004.

Are you affected? Contact us! The first 5 people who do will not have to pay a single penny to us. While these are tough times and we know your data is very important, such as family photos, videos, and other documents you may house on a hard drive, we will take extra precaution as we always do to ensure a safe recovery of your data.

Contact CyanLine

Scroll to top