It's a headline that has been played time and time again, but with no end in sight to its repetitive nature. This latest data breach left over 2 billion security records exposed to the public without even a simple password to protect the database. The offending breach was found on Orvibo's servers and was discovered by vpnMentor, a cybersecurity research group that runs a project designed to map vulnerabilities on the web.
Orvibo's database has now been sealed up, as of July 2nd, and seems to be configured as it should be, protecting its users' data as it claims.
Using a simple scan tool, vpnMentor's software was able to navigate successfully to the Elasticsearch database and browse all of its information without the need for any kind of authentication first. Elasticsearch databases are pervasive on the Internet and, while they're not inherently a problem in and of themselves, the setup process is what's causing a headache for many companies dealing with similar breaches of data.
During setup, Elasticsearch's APIs don't require any kind of password to get things going, and it seems many IT departments have missed the extra step of configuring a password for this database interface along the way. This mistake on Orvibo's part left an unbelievable amount of sensitive data exposed to, quite literally, anyone who wanted to view it by simply typing an address into their favorite browser.
Everything from email addresses to passwords, account reset codes, precise geolocation, IP addresses, usernames, userIDs, family names, family IDs, smart device information, and even the device that accessed the account and scheduling information.
The most disconcerting pieces of data that were exposed were the password reset codes for users, which could have easily allowed someone to hijack the accounts of countless users by entering in this "forgotten password" code and not only changing the password for an account but also the email address. This would result in an account being completely unrecoverable, and your current smart home gadgets all exposed to such a person.
The other worry is that recorded conversations and other extremely personal files were stored in this database and, just as other records were, and could have led to the exposure of even more personal data.
Orvibo is a manufacturer and software developer that houses the data of "millions of users," which is self-proclaimed by the company on its website. It also services and logs data for devices in many countries around the world, including Australia, Brazil, China, France, Japan, Mexico, Thailand, the United Kingdom, and the U.S.
Its products can be easily found on Amazon and are quite cost-competitive, sporting designs and features that people are certainly likely to buy. But it highlights the need to have reputable companies who have been vetted by third-party security firms powering IoT and smart home devices throughout your place of work or residence.
Orvibo was first notified by vpnMentor on June 16th took several weeks to respond at all. VpnMentor's initial report was published on July 1st and, ironically, saw the breach patched just the next day.