Smart home device maker exposes 2.7 billion records in huge data breach

Data breaches keep happening, and too often they come down to companies failing to take cybersecurity seriously. Some of the biggest breaches have been caused by negligence, and now there's another major one to add to the list. Mars Hydro, a Chinese company that makes Internet of Things (IoT) devices like LED lights and hydroponics equipment, left a massive database unprotected online. As a result, 2.7 billion records were exposed to anyone who knew where to look.

Mars Hydro, a Chinese manufacturer of IoT devices, suffered a massive data breach after a publicly accessible, unprotected database containing nearly 2.7 billion records was discovered online. The 1.17-terabyte database was not password-protected or encrypted, exposing a massive amount of sensitive information related to the company's smart devices, including LED grow lights and hydroponic equipment.

The database contained logging, monitoring and error records for IoT devices sold worldwide. Among the exposed data were Wi-Fi network names (SSIDs), Wi-Fi passwords, IP addresses, device ID numbers and other details linked to user devices and the Mars Pro IoT software application. Plus, internal records referenced LG-LED SOLUTIONS LIMITED, a California-registered company, as well as Spider Farmer, which produces agricultural equipment.

It remains unclear how long the database was publicly accessible or whether any unauthorized parties accessed the data before its restriction. The only way to confirm potential access or misuse would be through an internal forensic audit, but no such investigation has been publicly disclosed.

The unprotected database contained highly sensitive user and device information, including SSIDs and passwords stored in plain text, which could allow unauthorized users to access home networks. Although the researcher did not indicate that any personally identifiable information was exposed, the presence of network credentials, IP addresses, device ID numbers and data about smartphones running the IoT software raises serious security concerns.

The exposed credentials could theoretically enable an attacker to connect to the network, compromise other devices, intercept data or even launch targeted cyberattacks. This risk is particularly troubling, given the broader vulnerabilities within the IoT industry. 

According to a threat report by Palo Alto Networks, 57% of IoT devices across all industries are considered highly vulnerable, and an alarming 98% of data transmitted by these devices is unencrypted. The report further found that 83% of connected devices operate on outdated or unsupported operating systems, leaving them susceptible to attacks that exploit known vulnerabilities.

This incident underscores a recurring problem in the IoT sector: poor security practices, weak data protection and the absence of encryption. Without proactive security measures, such breaches will likely continue, exposing users to risks that extend beyond just their IoT devices, potentially compromising entire home or business networks.

If you own a Mars Hydro device or use the Mars Pro app, take the following steps to protect your data and secure your network:

1) Change your Wi-Fi password: Since Wi-Fi network names and passwords were stored in plain text, the first step is to update your router password immediately. Even if you believe your credentials were not directly exposed, it's best to assume otherwise. A strong password should be complex, combining upper and lowercase letters, numbers and special characters. Avoid using simple or easily guessable passwords, such as your name, address or basic numerical sequences.

3) Monitor your network for unusual activity: With Wi-Fi credentials and IP addresses exposed, attackers could attempt to access your network remotely. Checking your router's admin panel regularly to review connected devices is an important security measure. If you notice an unfamiliar device, remove it immediately and change your Wi-Fi password again.

5) Beware of phishing attempts and use strong antivirus software: Hackers may try to exploit the data from this breach by launching phishing attacks. If you receive an email claiming to be from Mars Hydro or LG-LED SOLUTIONS, urging you to reset your password or provide personal details, be cautious. Cybercriminals often create fake login pages designed to steal credentials. Do not click on suspicious links or download attachments from unknown senders.

The Mars Hydro breach is yet another reminder of the security risks that come with IoT devices. Companies need to do a better job of protecting user data, but at the end of the day, it is up to you to secure your own network. Updating passwords, enabling two-factor authentication and keeping an eye on your connected devices can make a big difference in keeping your data safe and your smart home secure.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

New from Kurt:

Copyright 2025 CyberGuy.com. All rights reserved.