A publicly accessible ElasticSearch server owned by Orvibo, a Chinese smart home device maker, exposed more than two billion user logs containing sensitive customer data. Orvibo left an ElasticSearch database connected to the Internet without a password, leaking data that includes email addresses, passwords, and password reset codes. Despite being aware of these problems for two weeks, the smart home device maker has not taken any action to remediate the situation.
the database appears to have cycled through at least two billion log entries, with each entry containing data about an Orvibo SmartMate customer. The data for each log entry varied depending on the operation it was being logged, such as logins, password resets, device heartbeat (regular check-in), logouts, and others. Typical data that one can find in these logs included Orvibo customers' email addresses, the IP addresses of the device checking in, Orvibo usernames, and hashed passwords. In some cases, there was also precise geolocation information, a customer's family name, the device's name, and information about the device's scheduled operations (such as turning lights on at specific hours, or the home alert between specific intervals).