The Chinese company left a large database unprotected, resulting in 2.7 billion records becoming available online.
What happened
The Chinese company, Mars Hydro, makes a variety of devices that are connected to the internet, like LED lights and hydroponics equipment. The company recently suffered a massive data breach after allowing an unprotected database to remain publicly accessible. It’s estimated that the database held nearly 2.7 billion online records and would have normally been password-protected or encrypted.
The database contained information related to device monitoring and error records worldwide. Exposed data included WiFi network names and passwords, IP addresses, device ID numbers and other details linked to devices. Internal records referenced two other companies, one of which is based in California.
Going deeper
The database was discovered by security researcher Jeremiah Fowler, who immediately notified the involved companies. Within hours, the public database became restricted.
Despite Mars Hydro quickly rectifying the situation, it’s unclear how long the data was exposed to the public or if any unauthorized parties accessed it with malicious intentions. A forensic audit could determine if the data was misused, but no such audit has been announced to the public.
Why it matters
Theoretically, this information could allow unauthorized users to access home networks, compromise other devices, intercept additional data, or launch a cyberattack.
On top of this, malicious actors frequently create profiles of individuals and attempt to gather information through multiple breaches, ultimately creating a more complete profile that is more likely to allow the bad actors to commit fraud or identity theft.
The big picture
While most breaches are discovered by organizations noticing unusual activity in their networks, this breach occurred by someone simply stumbling upon the data. The lack of security for such a vast amount of data is troubling, especially for a large organization. Other organizations should take this incident as a serious reminder to always keep databases password protected or encrypted. While individuals like Jeremiah Fowler provide notice to companies, if a malicious actor stumbled upon this information it would likely be a goldmine for collecting data. Furthermore, many threat actors are opportunity-based and try to find the easiest way possible to acquire personal data.
Even though there was not likely significant personal information, like names, involved in this breach, every breach can lead to harmful consequences for victims, especially if it allows threat actors to intercept other devices. While Mars Hydro has not yet announced further details, they will likely be subject to backlash from victims.
Related: HIPAA Complaint Email: The Definitive Guide
Abby Grifno
