A Chinese smart home equipment manufacturer recently faced a data breach which left 2 billion user logs vulnerable to hackers. The database included personally identifiable information from customers around the world including the United States.
Forbes reports that a team of “hacktivist” security researchers has exposed yet another huge data vulnerability as part of a web-mapping project. The researchers identified themselves as Noam Rotem and Ran Locar of vpnMentor, and stated that they recently discovered a major security flaw in a user database belonging to Chinese firm Orvibo, which offers an Internet of Things (IoT) and smart home management platform.
Orvibo is a Chinese firm based out of Shenzhen that offers a “reliable smart home cloud platform,” and specifically states that it “supports millions of IoT devices and guarantees the data safety.” vpnMentor researchers claim that the data breach performed on Orvibo was quite simple, the researchers discovered a misconfigured and unsecured Elasticsearch database with no password whatsoever to protect users data. A web-based app that was used to navigate the user data, called Kibana, was also left without a password.
The general manager of Vizion.ai, Geoff Tudor, told Forbes: “When first installed, Elasticsearch’s API is completely open without any password protection. … Then it takes a single command to search through the data stored in it.”
The report from vpnMentor claims that the data included in the database included:
- Email addresses
- Account reset codes
- Precise geolocation
- IP address
- Family name
- Family ID
- Smart device
- Device that accessed account
- Scheduling information
vpnMentor reportedly found logs for users based in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the U.S. in the database. The researchers said that the reset codes in the database were the most vulnerable pieces of data. “These would be sent to a user to reset either their password or their email address,” the report states, “with that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible.”
Read the full vpnMentor report here.