Chinese IoT manufacturer Mars Hydro leaks 2.7 billion records via unsecured database
Take action: The product design was terrible to begin with - why store credentials and tokens at all, then why store them in cleartext? Finally, leave it in the open. If one is using this product, they should be resetting all WiFi and personal passwords immediately.
Learn More
A massive data exposure incident involving Mars Hydro, a China-based IoT grow lights manufacturer was discovered and reported by cybersecurity researcher Jeremiah Fowler to vpnMentor.
The incident is caused by an unprotected and unencrypted publicly accessible database containing nearly 2.7 billion records (specifically 2,734,819,501 records) with a total size of 1.17 TB.
The exposed data included:
- Wi-Fi network names (SSID)
- Wi-Fi passwords in plain text
- IP addresses
- Device ID numbers
- Operating system information (iOS, Android)
- API details
- URL links
- Authentication tokens
- App version information
- Device type information
- MAC addresses
The database contained 13 folders with over 100 million records related to IoT devices and their control applications. The records were associated with LG-LED SOLUTIONS LIMITED, a California-registered company, along with Mars Hydro and Spider Farmer brands. Many records were labeled as "Mars-pro-iot-error" or "SF-iot-error."
The researcher immediately sent a responsible disclosure notice to both LG-LED SOLUTIONS and Mars Hydro. The database was secured within hours of notification. Mars Hydro confirmed through customer support that the app was their official product, though it remains unclear whether the database was managed directly by LG-LED SOLUTIONS or through a third-party contractor.
The duration of exposure before discovery is not disclosed. There is no information whether any malicious actors accessed the data during the exposure period.
