2.7 Billion Records Exposed: Mars Hydro’s IoT Nightmare Highlights Security Gaps

In February 2025, more than 2.7 billion records, including information like Wi-Fi network names, passwords, IP addresses, and device IDs were exposed in a data breach. The data belongs to Mars Hydro, an Internet of Things (IoT) devices manufacturer based in China, and LG-LED Solutions based in California. 

The data was found in an exposed database – 1.17 terabytes of unprotected data that consisted of 13 folders with over 100 million records each. Error logs included in the data revealed device operating system details, API tokens, and app versions. 

The exposed data appears to belong to Mars Hydro’s Mars Pro App users. Mars Hydro quickly contained the breach, but there is no telling how long threat actors may have had access to the exposed information. 

This is a large breach by any measure and is especially indicative of the security risks facing users of IoT devices. Mars Hydro makes smart home equipment like LED grow lights and hydroponic equipment for indoor plants. The information included in the unsecured data could have been highly sensitive. There’s little insight into how it may or may not be used in future attacks.

Why the Mars Hydro Breach Matters

Threat actors did not cause the Mars Hydro data breach. The databases were unsecured when Fowler discovered them, which means anyone could have found the data and used it to discover other Mars Hydro products connected to the internet. 

The data could be used for unauthorized network access or what’s called a “nearest neighbor” attack where threat actors compromise a nearby wireless network. In November 2024, the Russian threat actor group “Fancy Bear” used the method to compromise wireless networks near their intended target in Washington, D.C. This has been seen with network spoofing devices physically disguised to look like ordinary technology, such as laptops and even other IoT devices.

Fancy Bear used credential stuffing to compromise two wireless networks in close physical proximity to their intended target. They were then able to connect to the target’s wireless network directly using credentials. 

Because the data in the Mars Hydro breach included IP addresses and wireless network information, this intelligence could be used in a similar attack. Given that many IoT devices remain unsecured or use outdated operating systems, the risk of these devices being used as an initial access vector is substantial. 

Knowing where these devices are located, as is possible with the Mars Hydro data, can create favorable conditions for even the most opportunistic threat actor. 

Securing IoT Data Against Compromise

As the number of IoT devices installed in the enterprise expands, companies must take steps to protect their systems against compromise. This data exposure was so potentially damaging because it demonstrates how easy it is for IoT manufacturers to leave sensitive data accessible. Connected devices are often poorly managed, especially by manufacturers, so security teams must have a way to counter that. 

With a “nearest neighbor” attack, securing wireless networks becomes especially important. Unfortunately, many organizations don’t have visibility into the full scope of their IoT architecture. The lack of intelligence around what’s attached to the network, potential vulnerabilities, and normal device behavior stymies the ability of security teams to protect critical systems. 

Security teams need to complete an inventory of their devices, empowering them to capture information about the connected equipment in their network. Going beyond this inventory is also vital to ensure overall security. To do that, teams must:

Conduct a Risk Analysis of All Connected Devices

Conducting a risk analysis is vital. Not every vulnerability will result in a device takeover, and not every database will become compromised. Conducting a risk analysis to understand the real possibility of a vulnerability getting exploited and used to compromise systems based on specific contexts will ensure that defensive resources are deployed accurately.

Performing this risk analysis on each connected IoT device means that security teams can apply the most comprehensive security to the equipment with the most potential for compromising other systems. This ultimately results in better security through a more efficient allocation of security resources. 

Because not all devices have the same potential impact when compromised, not everything should necessarily get the same level of security monitoring or defenses in place. This is the result of conducting a risk analysis on every discovered IoT device. 

Implement Controls for Configuration Drift

Configuration drift is one of the biggest issues for IoT devices, as it’s incredibly easy for anyone to make configuration changes that can create potential security problems. Maybe a technician is trying to get data from the IoT device, or the manufacturer is making remote upgrades. Either one of those situations could cause configuration drift that may potentially leave organizations open to attack. 

As such, organizations need a solution that can take configuration snapshots and make it easier to monitor changes in device settings that may be potentially dangerous. Integrating a configuration control solution, like the one Asimily provides, into the security strategy ensures that defenders have insight into the last known good state and can quickly revert to that. 

Integrate Behavior Monitoring and Anomaly Detection

Monitoring for anomalous behavior can be an early warning system when something goes wrong. Every piece of connected equipment has a specific protocol it uses and specific other devices it communicates with. 

Monitoring for anomalous behavior can ensure that security teams are made aware of any changes in the actions of the device. Any data breach can lead to potential issues in the device, and monitoring ensures that can occur.  

Being alerted of anomalous behavior could have then triggered investigations and helped lock down any problems, thwarting any potential compromise. Anomalous behavior monitoring can also help investigate any potential issues outside of malicious threats, such as a configuration drift that might reduce the security of the device. 

Defend Against Imminent IoT Threats 

IoT devices and the data that they store remain a security challenge for even the most robust organizations. As more connected devices enter the average organization, their data, and their operations become more crucial yet challenging to secure. Performing a risk analysis, ensuring good device behavior is benchmarked and deviations are detectable, and defending against configuration drift will go a long way toward ensuring overall IoT device defense. 

The biggest IoT risks include the data that device manufacturers store about these systems. Given how big a threat IoT systems face, enterprise defenders need to seriously consider all the tools at their disposal and ensure they are properly set up for protecting critical data. By accurately applying the right IoT security strategy, they can ensure that happens. To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.