Massive 1.17 TB data leak exposes billions of records from a Chinese IoT grow light company. Wi-Fi passwords, IP addresses, and device IDs are among the exposed data. Learn more.
A large, unprotected database belonging to Mars Hydro, a company specializing in IoT grow lights (Internet of Things Grow Lights) and agricultural software, was discovered by cybersecurity researcher Jeremiah Fowler.
The database, containing a whopping 2.7 billion records totalling 1.17 terabytes, exposed a treasure trove of sensitive information, including Wi-Fi network names (SSIDs), passwords, IP addresses, device IDs, email addresses, and more.
According to Fowler’s blog post for vpnMentor which the company shared with Hackread.com ahead of publishing on Wednesday 12th February 2025, within the database, folders labelled for logging, monitoring, and error records of IoT devices worldwide were found.
Sample analysis revealed over 100 million records across 13 folders, containing not only Wi-Fi network names but also their corresponding passwords, along with IP addresses and unique device identifiers. Interestingly, the data also seemed to link to the control devices, such as smartphones, used to manage these IoT products, revealing information about operating systems (e.g. iOS and Android).
Further investigation linked the database to LG-LED SOLUTIONS LIMITED, a California-registered company. API details and URLs associated with LG-LED SOLUTIONS, Mars Hydro, and Spider Farmer- all involved in the manufacturing and sale of agricultural grow lights, fans, and cooling systems- were also present in the exposed data. Numerous records were specifically labelled as “Mars-pro-iot-error” or “SF-iot-error,” suggesting a connection to these specific product lines.
Fowler also found error logs containing potentially sensitive information, including tokens, application versions, device types, and IP addresses, in addition to the Wi-Fi credentials.
Following the discovery, Fowler promptly notified LG-LED SOLUTIONS and Mars Hydro, leading to the database being secured within hours. Mars Hydro, identified as a Shenzhen, China-based LED grow light manufacturer with warehouses in the UK, US, and Australia, confirmed to Fowler that the Mars Pro app is their official product.
Nevertheless, questions remain regarding the database’s ownership, management, and the duration of its exposure. It is unclear if the database was managed directly by LG-LED SOLUTIONS or a third-party contractor. A thorough forensic audit would be required to determine the extent of any unauthorized access, Fowler noted in the blog post.
The Mars Pro app and connected devices have been exposing vast amounts of information. Such lapses can lead to misuse, like surveillance, man-in-the-middle attacks, and manipulation. The recently reported Matrix hacker group is a prime example of the ongoing exploitation of exposed IoT devices for DDoS botnets.
Additionally, studies indicate that a significant percentage of IoT devices (57%) are highly vulnerable, with a majority of transmitted data (983%) being unencrypted. To mitigate these risks, IoT device makers and app developers must prioritize data protection, avoid plain text logging, use encryption, secure internal cloud storage, and conduct regular security audits and penetration testing.
.