A huge data breach discovered last week has exposed 2.7 billion records from companies Mars Hydro and LG-LED Solutions. The leak, totaling 1.17 terabytes of information, was stored on an unsecured, publicly accessible database.
What Happened?
Cybersecurity researcher Jeremiah Fowler uncovered the breach and reported it to vpnMentor. The exposed data includes:
- Wi-Fi Details: Network names (SSIDs) and plain text passwords
- Network Information: IP addresses
- IoT Data: Unique device identifiers
- Device Details: Operating system information (iOS/Android)
- App Data: API tokens and app versions
- Error Logs: Logs containing sensitive details
All of these details were stored without any encryption, leaving them easy targets for cybercriminals.
How Did It Happen?
Fowler explained that the breach occurred because several MongoDB databases were left unprotected—no passwords were used. In one instance, he found 13 folders with over 100 million records each. With this information, attackers could easily join Wi-Fi networks and compromise other connected devices. Fowler also warned of “next-door neighbor” (KNN) attacks, where hackers target nearby networks to launch further attacks.
The IoT Connection
The data was collected by the Mars Pro app, which is used to control Mars Hydro’s cultivation lights and climate control systems. Interestingly, the app’s privacy policy claims that no user data is stored, a claim that clearly contradicts what was found in the logs. It appears that IoT devices are capturing detailed connection information once they join a local network.
A Broader IoT Security Issue
This incident highlights a larger problem in the IoT industry. A study by Palo Alto Networks found that:
- 57% of IoT devices are highly vulnerable
- 98% transmit data without encryption
- 83% run on outdated or unsupported software
Due to limited processing power, many IoT devices cannot support advanced security measures like strong encryption or regular firmware updates.
Tips to Keep Your IoT Devices Safe
Here are some easy steps to protect your IoT devices:
- Change Default Passwords: Replace factory-set passwords with strong, unique ones.
- Update Firmware Regularly: Always install the latest updates and enable automatic updates if possible.
- Segment Your Network: Keep IoT devices on a separate network from your computers and smartphones.
- Disable Unnecessary Features: Turn off features like remote access or UPnP if they aren’t needed.
- Use Strong Wi-Fi Encryption: Use WPA3 (or at least WPA2) with a robust password; avoid using outdated protocols like WEP.
- Review Privacy Settings: Adjust device settings to limit unnecessary data collection.
- Add Extra Security Layers: Consider using a dedicated IoT firewall or a VPN.
- Monitor Network Traffic: Use network monitoring tools to detect suspicious activity.
- Factory Reset Old Devices: When discarding old devices, perform a factory reset to erase all data and disable cloud connections if possible.
Source: vpnMentor
