I bet you’ve never heard of Mars Hydro. It’s a company headquartered in Communist China that makes Internet of Things (IoT) devices. Their speciality? LED lights and hydroponics equipment.
Security researcher Jeremiah Fowler (I had him on the show about other breaches, and he’s a smart, standup guy) was digging around and found they had a massive 1.17TB database online for anyone to see. There was no encryption and no password required.
The database contained 2,734,819,501 sensitive records. My first thought is why does a hydroponics company have so much data?
What is Mars Hydro?
Stick with me because it’s a mess. The records Fowler found belong to a California-registered company, LG‑LED Solutions Limited. Within those are also database details and URLs to LG‑LED Solutions, Mars Hydro and a company called Spider Farmer.
They make and sell grow lights, fans, cooling systems and other gear used for agriculture. Mars Hydro is based in Shenzhen, China, with warehouses in the U.S., U.K. and Australia.
So, why was an agriculture company collecting all this data and storing it all in an unsecured database? Probably because it’s the last place someone might look.
- Over 100 million Wi‑Fi network names (SSIDs) with passwords
- IP addresses
- Device ID numbers
- All the devices connected to these Wi‑Fi networks, including make, models and other details
- App error logs
When Fowler spotted the Mars Hydro code and asked if the app was involved, LG‑LED dodged the question. Their only response? “This app is the official product of Mars Hydro.” Translation: They’re not denying it.
The Mars Hydro app page for Google Play (Android) shows over 10,000 downloads and an abysmal 1.9-star rating. I didn’t spot a single rating on the iPhone App Store, which is common for apps that aren’t all that popular.
Interestingly, the privacy section says no data is collected and nothing is shared with third parties. Well, we already know they lied about at least one of those things. The app store shows the same thing: “The developer does not collect any data from this app.”
Once the vulnerability was reported, the database was locked down. You can bet there are copies of the database floating around the Dark Web. But there’s a bigger picture here. This is not just about one bad data breach. It’s about negligence in the IoT industry.
It’s a wakeup call
Look around. Do you have smart bulbs? A smart speaker, cheapo security camera, thermostat or smart fridge? Every one of these devices is a potential entry point for hackers if the company behind them isn’t taking security seriously.
I’ve been telling you for years IoT devices are the hidden way into your home’s network. Many of these devices ship with weak security, hardcoded passwords or no way to install updates. To make it worse, most people never change the default settings or don’t even know they can. Yup, default passwords are easily found over the web.
That’s exactly how cybercriminals get in. Once they have access to your Wi‑Fi network, they can snoop on your traffic, steal your login credentials and take over other connected devices. Imagine waking up to find your smart thermostat cranked to 90 degrees, your security cameras disabled and your email hacked, all because a cheap smart bulb had a security flaw.
Look for this setting
Many IoT devices and smart home gadgets allow you to control them from anywhere via an app or web portal. It’s convenient, absolutely, but remote access opens the door for hackers if the manufacturer’s security is questionable.
It’ll be different for every device, but here’s a starting place:
- Open the app for your smart camera, thermostat, smart plug or anything else.
- Under Settings, look for Device Preferences > Remote Access. The exact wording will vary, and it may be called something like "Cloud Control," "Remote Connection" or "External Access."
- Disable any setting that allows connections outside your home network.
A change you can make right now
Not every device lets you turn off remote access. There’s one easy fix that cuts down on the risk of anything that uses Wi‑Fi in your house becoming an entry point: Move it to a guest network.
Warning: This will take you a few minutes, but it’s totally doable.
Step 1: Log into your router’s admin console. You’ll need your IP address. You can usually find this on a sticker on the bottom or side of your router. Seeing 192.168.1.1 or 192.168.0.1 is common.
If you don’t see yours …
- On Windows: Open the Start menu and search for Command Prompt. With your Command Prompt open, type in ipconfig and press Enter. Look for the line that says “Default Gateway.” This is your router’s IP address.
- On Mac: Go to System Settings > Network. Select your Wi‑Fi network and hit Advanced. Your router’s IP address is under Router.
Step 2: Open your browser, type http:// and paste in your IP address. Hit Enter to open a login page. For the credentials, try the username admin and the word password for the password. If the defaults are different, they’re likely printed on your router. You can also try this site that lists default passwords for almost every router in use.
Step 3: Look for a setting called Guest Network or Guest Wi‑Fi. Give it a different name (aka SSID) than your main network, along with a strong, unique password.
It’s impossible to keep up
For every major breach I tell you about, know there are dozens more. With each one, the dossier of info about you available to anyone willing to pay grows. In this case, we’re talking about your IP address, device info and Wi‑Fi network details.
I use Incogni to work in the background, deleting all this on my behalf. They’ve sent over 1,190 requests, forcing data-broker and people-search sites to remove my personal information for good. Even better? Incogni adds you to data suppression lists, meaning they can’t legally put your info back. Love that.
✅ Try it risk-free: Right now, you can try Incogni for 30 days with no risk. If you’re not 100% satisfied, get your money back. Use this link to get 60% off, and take control of your privacy before someone else does.
