A major IoT data breach has exposed 2.7 billion records, including Wi-Fi network names, passwords, IP addresses, and device IDs.
Cybersecurity researcher Jeremiah Fowler uncovered an unprotected database associated with Mars Hydro, a Chinese IoT grow light company, and LG-LED Solutions from California. He reported his findings to vpnMentor, which shared them exclusively with Infosecurity.
The unprotected database, totaling 1.17 terabytes, had 13 folders with over 100 million records each. Error logs also exposed device operating systems, API tokens, and app versions.
This data probably came from users of the Mars Hydro Mars Pro app for iOS and Android. Although Mars Hydro quickly limited access after the breach, there are still concerns about how long the data was exposed and if unauthorized parties accessed it.
Risks of IoT Data Breaches:
The exposed data poses serious risks, including unauthorized network access and attacks like “nearest neighbor” exploits, where cybercriminals take over nearby Wi-Fi networks.
“In November 2024, it was reported that Russian military hackers from the GRU’s Unit 26165, also known as APT28 or Fancy Bear, used […] ‘nearest neighbor attack’ to breach an organization based in Washington, D.C. that was focused on supporting Ukraine,” Fowler said.
“The hackers compromised a nearby organization’s network that was simply in range of the target’s Wi-Fi and then gained access to the victim’s network.”
Palo Alto Networks research shows that 57% of IoT devices are vulnerable because of outdated operating systems or insufficient encryption. Many devices have weak credentials, emphasizing the need for improved security measures.
Experts advise encrypting sensitive logs, changing default passwords, conducting regular security audits, and restricting public cloud access to private repositories to reduce future risks.
InfoSecBulletin Cybersecurity for mankind
