Massive IoT Data Breach Exposes 2.7 Billion Records, Including Wi-Fi Passwords

A massive 2.7 billion records containing sensitive user data, including Wi-Fi network names, passwords, IP addresses, and device identifiers, were exposed in a massive IoT security breach linked to Mars Hydro, a China-based grow light manufacturer, and LG-LED SOLUTIONS LIMITED, a California-registered firm.

The unprotected database, discovered by cybersecurity researcher Jeremiah Fowler and reported to vpnMentor, underscores critical vulnerabilities in IoT device security and cloud storage practices.

The exposed database, totaling 1.17 terabytes, was publicly accessible without password protection or encryption. It contained logs, monitoring records, and error reports from IoT devices sold globally, including:

• Wi-Fi SSIDs (network names) and passwords in plain text.
• IP addresses, device IDs, MAC addresses, and operating system details (iOS/Android).
• API tokens, app versions, and error logs labeled “Mars-pro-iot-error” or “SF-iot-error”.

Mars Hydro’s Mars Pro app, used to control IoT grow lights and climate systems, reportedly collected this data despite its privacy policy claiming no user data collection.

Further investigation linked the records to LG-LED SOLUTIONS LIMITED, a California-registered company. The exposed data also included API details and URL links to LG-LED SOLUTIONS, Mars Hydro, and Spider Farmer companies that manufacture and sell agricultural grow lights, fans, and cooling systems.

Many records were labeled “Mars-pro-iot-error” or “SF-iot-error,” containing tokens, app versions, device types, and IP addresses alongside SSID credentials.

Fowler promptly notified LG-LED SOLUTIONS and Mars Hydro, and within hours, access to the database was restricted. Mars Hydro confirmed that the “Mars Pro” app, available on both iOS and Android in multiple languages, is their official product.

However, it remains unclear whether LG-LED SOLUTIONS directly managed the database or used a third-party contractor. The duration of the database’s exposure and whether unauthorized parties accessed it are also unknown.

Security Risks and Implications

The leaked data poses severe risks:

1. Network Infiltration: Attackers could use exposed Wi-Fi credentials to access home or business networks, enabling man-in-the-middle attacks, data interception, or ransomware deployment.
2. Botnet Recruitment: Compromised IoT devices could be hijacked for DDoS attacks, as seen in recent incidents involving the Matrix hacker group.
3. Physical Threats: Malicious actors could manipulate connected grow lights, fans, or cooling systems, potentially destroying crops.

Fowler highlighted the “nearest neighbor attack,” a tactic used by Russian GRU hackers in 2024 to breach a Ukraine-focused organization via nearby Wi-Fi networks, as a plausible risk scenario.

Palo Alto Networks’ threat report adds context: 98% of IoT device data is unencrypted, and 57% of devices are highly vulnerable.

This incident reflects systemic IoT security flaws:

• Weak Encryption: Many devices rely on outdated protocols like WPA2, vulnerable to brute-force attacks.
• Default Passwords: Users often fail to change factory settings, leaving devices exposed.
• Centralized Cloud Risks: Storing vast data in unsecured servers creates single points of failure.

Notably, researchers speculate this breach might involve the same database exposed in 2019 by Orvibo, a Chinese smart-device brand.

Experts urge IoT manufacturers and users to:

• Encrypt sensitive logs and replace plain-text credentials with tokenized values.
• Segment networks to isolate IoT devices from critical systems.
• Conduct regular audits and penetration testing.

Mars Hydro and LG-LED SOLUTIONS have not commented on the breach’s origin or potential third-party involvement. Fowler emphasized his findings aim to “raise awareness,” with no evidence of direct misuse.

PCI DSS 4.0 & Supply Chain Attack Prevention – Free Webinar