A significant data breach related to the Internet of Things (IoT) was uncovered by cybersecurity researcher Jeremiah Flower. The breach was traced to an unprotected database belonging to Mars Hydro, a Chinese company specializing in lighting systems, and LG LED Solutions, a California-based business. Flower discovered that sensitive data had either been fraudulently accessed or copied, raising alarm about the security practices of these companies.
Interestingly, some cybersecurity researchers on Telegram speculate that the leaked database may be the same one that was exposed in 2019. That previous breach involved Orvibo, a Chinese brand known for its smart control panels and lights. Regardless of which company is ultimately responsible for the database, reports suggest that hackers may have gained access to a staggering 1.7 terabytes of data, which was distributed across 13 folders. Each folder contained roughly 100 million records.
The full extent of the breach remains unclear, and it’s uncertain whether the stolen data has been misused or sold to malicious parties. However, the compromised data is extensive and includes email addresses, Wi-Fi credentials, phone numbers, precise geolocation data, account reset questions and answers, usernames, IP addresses, user IDs, smart device names, IoT device schedules, and more. This wealth of personal and device-related information could lead to serious privacy concerns if it falls into the wrong hands.
Such breaches often result from a combination of misconfiguration errors, network vulnerabilities, outdated IT systems, and a lack of encryption measures. In many cases, IoT devices come with default passwords that users never change, giving hackers an easy entry point to exploit the system and compromise the network.
Experts in cybersecurity have repeatedly warned users of IoT devices to take precautionary steps to safeguard their information. These measures include encrypting logs, replacing default passwords with strong, alphanumeric passwords (incorporating special characters), extending password lengths to 15 to 18 characters, and ensuring private databases are not accessible via public cloud services.
By following these security best practices, users can significantly reduce the risk of falling victim to similar breaches in the future, ensuring their personal data and IoT devices remain protected.
