More than two billion records were exposed through a leak of a database belonging to the Chinese-based smart home tech company Orvibo. Researchers were able to pinpoint locations of customers through the user logs and found they were located in China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil. Included in the leak are email addresses, unsalted MD5 password hashes, account reset codes, precise geolocations, IP addresses, usernames, and user IDs. Additionally, the data included family names, family IDs, information on smart devices, devices that accessed the account and scheduling information. Captured in both English and Chinese, the data could have possibly been accessed and used to lock users out of their accounts permanently. In a blog post, researchers stated, “A breach of this size has massive implications. Each device in Orvibo’s product catalog can have a different negative effect on its users. This is on top of having an abundance of identifying information about users. Much of the data can be pieced together both to disrupt a person’s home while possibly leading to further hacks.” When discovered, the researchers sent multiple emails to Orvibo, but they have yet to respond and at the time of this writing, the database is still unsecure.
Analyst Notes
Since passwords were included, users should promptly change them. Until Orvibo addresses the issue, users may want to temporarily stop the use of their Orvibo devices. Emails should also be monitored for any suspicious activity.
