If you own a WD My Book Live drive, you should unplug it from your router immediately. Several users on the Western Digital forum report that their drives were factory reset through remote commands, leading to the permanent loss of all data. In a statement, Western Digital blames this problem on “malicious software.”
Update, 6/29/21 11:29 am Eastern: Western Digital removed code that would have prevented this factory reset exploit from happening. Read more about this and other troubling details in our latest My Book Live update.
Note: Only the WD My Book Live is impacted by this problem. Other Western Digital NAS devices appear to be fine.
The WD My Book Live is a Network-Attached Storage (or NAS) device with a twist. It sits behind a firewall and communicates through Western Digital’s cloud servers to provide remote storage for users. Western Digital stopped supporting the My Book Live back in 2015, but the company continues to run its My Book Live servers for dedicated users.
At a glance, it might seem that the 6-year lapse in firmware or security updates left My Book Live users vulnerable to attacks. But because so many My Book Live drives were attacked within the span of just a few hours, many people wonder if Western Digital’s servers were hacked. (It’s worth noting that some victims had cloud services disabled on their device.)
A statement from Western Digital doesn’t really clarify the issue:
Western Digital has determined that some My Book Live devices are being compromised by malicious software. In some cases, this compromise has led to a factory reset that appears to erase all data on the device. The My Book Live device received its final firmware update in 2015. We understand that our customers’ data is very important. At this time, we recommend you disconnect your My Book Live from the Internet to protect your data on the device. We are actively investigating and we will provide updates to this thread when they are available.
Users who posted their device data logs on the Western Digital forum show that the remote, global attack started on the afternoon of June 23rd (or the morning of the 24th, depending on your time zone). Some victims found that their password changed after the reset, while others can still access their drive but lost all of their files.
Again, it’s hard to tell what’s going on here, so My Book Live users should disconnect their drive now and shop for a replacement. (It hasn’t been updated in 6 years, it’s just not a safe storage solution anymore.) If your My Book Live is factory reset, then the data is probably impossible to recover—some victims found success with the PhotoRec recovery tool, though these claims haven’t been verified.