Unprotected database of smart home vendor exposes billions of records

• The database exposed user records which contained sensitive data of its customers across the world.
• Orvibo is a China-based company that specializes in providing smart home solutions.

Security researchers found an unprotected Elasticsearch database leaking billions of user records which contained sensitive data. The database belonged to Orvibo, a China-based smart home solutions provider. According to researchers from vpnMentor, who discovered this database, it contained over two billion records which consisted of usernames, email addresses, passwords and locations of users.

Key highlights

• From the user logs, vpnMentor’s researchers identified that the customers were from China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil.
• The data exposed from the database includes email addresses, passwords, account reset codes, precise geolocations, IP addresses, usernames, and user IDs. However, the passwords were hashed using MD5 without salt.
• On top of this, it also had family names, family IDs, information on smart devices, devices that accessed the account and scheduling information.
• The researchers caution that this information could have been used to permanently lock users out of their accounts.
• The records were captured in both China and English languages.

Worth noting

With the availability of all this information from the vulnerable database, vpnMentor researchers suggest that attackers could easily launch attacks on homes that have Orvibo devices.

“A breach of this size has massive implications. Each device in Orvibo’s product catalog can have a different negative effect on its users. This is on top of having an abundance of identifying information about users. Much of the data can be pieced together both to disrupt a person’s home while possibly leading to further hacks,” the researchers wrote in a blog.

The response

As of now, Orvibo has not responded to emails from vpnMentor regarding this breach. The database is yet to be secured.

Update, July 9: Upon discovery of the breach, Orvibo promptly secured the database and responded with the following statement:

"Once received the report from VpnMentor, ORVIBO technical and cyber security teams immediately took actions to fix this vulnerability risk and confirmed there is no any data leak or lost on actual end users on July 2nd. After we fixed the vulnerability, the security risk had been completely and timely removed. ORVIBO immediately upgraded password encryption mechanism and protection system of users account and password resetting."