Security researchers found an unprotected Elasticsearch database leaking billions of user records which contained sensitive data. The database belonged to Orvibo, a China-based smart home solutions provider. According to researchers from vpnMentor, who discovered this database, it contained over two billion records which consisted of usernames, email addresses, passwords and locations of users.
With the availability of all this information from the vulnerable database, vpnMentor researchers suggest that attackers could easily launch attacks on homes that have Orvibo devices.
“A breach of this size has massive implications. Each device in Orvibo’s product catalog can have a different negative effect on its users. This is on top of having an abundance of identifying information about users. Much of the data can be pieced together both to disrupt a person’s home while possibly leading to further hacks,” the researchers wrote in a blog.
As of now, Orvibo has not responded to emails from vpnMentor regarding this breach. The database is yet to be secured.
Update, July 9: Upon discovery of the breach, Orvibo promptly secured the database and responded with the following statement:
"Once received the report from VpnMentor, ORVIBO technical and cyber security teams immediately took actions to fix this vulnerability risk and confirmed there is no any data leak or lost on actual end users on July 2nd. After we fixed the vulnerability, the security risk had been completely and timely removed. ORVIBO immediately upgraded password encryption mechanism and protection system of users account and password resetting."