Cybersecurity Researcher Jeremiah Fowler uncovered a non-password-protected database that contained nearly 2.7 billion records belonging to Mars Hydro.
Mars Hydro is a China-based company offering IoT grow lights and software applications that allow users worldwide to control devices, timers, and settings remotely.
According to Fowler, the exposed database contained 2,734,819,501 records with a total size of 1.17 TB. There were folders inside the database indicating logging, monitoring, and error records for IoT (Internet of Things) devices sold worldwide.
In a limited sampling of the exposed documents, Fowler saw 13 folders with over 100 million records containing SSID (service set identifier), more commonly known as your Wi-Fi network name. Apart from these Wi-Fi network names, the records also included passwords, IP addresses, device ID numbers, and much more. These appeared to be details of connected IoT devices as well as references to the control device (smartphone) running the IoT software application, indicating details about the operating systems (e.g., iOS, Android).
According to Fowler, the exposed records belonged to a California-registered company called LG-LED SOLUTIONS LIMITED. The exposed records also contained API details and URL links to LG-LED SOLUTIONS, Mars Hydro, and Spider Farmer. These companies manufacture and sell grow lights, fans, and cooling systems for agricultural purposes.
In addition to the SSID credentials, the error logs included potentially sensitive information like tokens, app version, device type, and IP addresses.
