Jeremiah Fowler, an experienced cybersecurity researcher at vpnMentor and co-founder of Security Discovery, has uncovered a massive data exposure involving nearly 2.7 billion records linked to Mars Hydro, a China-based manufacturer of IoT-enabled grow lights.
The breach, which included sensitive Wi-Fi credentials, IP addresses, and device details, underscores ongoing concerns about IoT security and data privacy.
Fowler discovered the unprotected database and reported it to vpnMentor. The publicly accessible trove contained 2,734,819,501 records totaling 1.17 terabytes of data, exposing logging, monitoring, and error records for IoT devices sold globally. The records included:
- Wi-Fi network names (SSID) and passwords
- IP addresses and device ID numbers
- Operating system details of connected devices
- API details and error logs for Mars Hydro and affiliated companies
The database appeared to belong to LG-LED SOLUTIONS LIMITED, a California-registered company associated with Mars Hydro. Some records referenced Spider Farmer, another IoT-enabled grow light manufacturer.
Immediate Action Taken, but Questions Linger
Upon discovering the breach, Fowler sent a responsible disclosure notice to Mars Hydro and LG-LED SOLUTIONS. Within hours, the database was secured and removed from public access.
However, neither company responded to the initial notification. In a follow-up inquiry, Mars Hydro confirmed that the Mars Pro app, which interfaces with its IoT devices, is an official product.
It isn’t clear how long the database was exposed, whether unsanctioned parties accessed the data, or if the database was managed in-house or by a third party.
Broader IoT Security Concerns
The exposure raises red flags about IoT device security, particularly those with weak encryption and poor credential management. Research by Palo Alto Networks found that 57% of IoT devices are highly vulnerable, and 98% of data transmissions are unencrypted. Also, 83% of IoT devices run outdated or unsupported software, making them compelling targets for bad actors.
Another significant risk is the use of default credentials—many users do not change factory-set passwords, leaving devices vulnerable to unauthorized access. In some cases, IoT devices operate without authentication, meaning anyone with network access can control them.
Nearest Neighbor Attacks and Network Intrusions
Unsecured Wi-Fi credentials add another layer of risk. A sophisticated cyberattack technique, dubbed a “nearest neighbor attack,” allows malicious actors to infiltrate networks by exploiting weak nearby Wi-Fi signals.
In November 2024, Russian threat actors from the GRU’s Unit 26165 (APT28/Fancy Bear) reportedly used this method to breach a Washington, DC-based entity supporting Ukraine.
With exposed Wi-Fi credentials, cybercriminals could hijack IoT devices to manipulate grow lights, fans, or temperature controls, potentially harming crops; intercept network traffic to steal additional credentials and sensitive files; and use infected devices in botnet attacks, launching DDoS attacks or other malicious activities.
Mitigating IoT Security Risks
To prevent similar incidents, IoT manufacturers need to adopt stronger security measures and ensure security is built in from the ground up instead of being tacked on like an afterthought.
- Avoid storing sensitive information like Wi-Fi passwords in plaintext
- Encrypt data and replace identifiable device information with hashed or tokenized values
- Restrict public access to internal cloud storage
- Implement long-term patch management for security updates
- Conduct regular audits and penetration tests
Not Out of the Woods Just Yet
Fowler stressed that his findings do not suggest wrongdoing by Mars Hydro, LG-LED SOLUTIONS, Spider Farmer, or any affiliates. The data exposure highlights common security gaps in IoT ecosystems rather than deliberate negligence or intent to misuse data.
As IoT adoption accelerates, securing connected devices must become a priority. Without robust safeguards, these vulnerabilities could be exploited, leading to privacy breaches, cyberattacks, and potential real-world disruptions.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.