An ElasticSearch cluster, which is available for public access, owned and managed by Orvibo, a Chinese provider for smart home solutions was recently discovered to have leaked more than 2 billion user logs. These logs contain sensitive customers' data from different countries across the globe. Orvibo supplies its clients with smart home solutions crafted to assist them in managing offices, hotels, and houses through its smart systems that provide energy and security management along with remote control data analysis, recording through the use of home cloud platform.
Orvibo allows its users to access and control various devices using its smart home solutions. Its cloud platform is equipped with support for smart lighting, interaction, HVAC, home security, home entertainment devices, and energy management. The leaked Orvibo database includes more than 2 billion logs that keep records of everything ranging from email addresses, usernames, and passwords, up to precise addresses of homeowners. These details are still available online since the company did not respond when it was contacted by vpnMentor's team.
The researchers said that as long as the company's database is open, the data accessible to the public continues to increase each day. The affected users are from various countries, including China, the US, the UK, Japan, Australia, France, Brazil, and Mexico. Among the customers' data exposed includes passwords, account reset codes, usernames, email addresses, IP addresses, specific user geolocation, device name, family ID, family name, and user ID. There are also recorded conversations and scheduling information, including information in the owners' smart camera.
To make the matter even worse, when you change the email address and the password, the account becomes unrecoverable. This means it becomes vulnerable to hackers gaining total control of any smart home devices they wish to manipulate. Additionally, the research team of vpnMentor discovered that the video feed from the smart cameras could be easily accessed by simply keying in the owner's account with the credentials that can easily be found on the company's database.
Moreover, owners are easily vulnerable to break-ins since hackers can simply unlock their smart doors by combining precise geolocation and scheduled swiped from their built-in calendar displays. Although Orvibo hashed the password of their users, it can be easily cracked. According to vpnMentor, a breach this massive has enormous implications. Each item in Orvibo's product catalog can have various negative effects on its users.
This is, of course, aside from the wealth of identifying data about users. Most of this information can be easily pieced together not only to disrupt the life of the users but to do other serious hacks.
