Hackers and scammers don’t want you to use EndpointLock: It stops them from capturing your keystrokes when you enter your usernames, account numbers and passwords. If you bank on your phone or do anything else confidential, you need this. Hit this link for 10% off.
Your Wi-Fi was part of 2.7 billion records leaked
© Andrew Angelov | Dreamstime.com, © Denisismagilov | Dreamstime.com
I bet you’ve never heard of Mars Hydro. It’s a company headquartered in Communist China that makes Internet of Things (IoT) devices. Their speciality? LED lights and hydroponics equipment.
Security researcher Jeremiah Fowler (I had him on the show about other breaches, and he’s a smart, standup guy) was digging around and found they had a massive 1.17TB database online for anyone to see. There was no encryption and no password required.
The database contained 2,734,819,501 sensitive records. My first thought is why does a hydroponics company have so much data?
What is Mars Hydro?
Stick with me because it’s a mess. The records Fowler found belong to a California-registered company, LG-LED Solutions Limited. Within those are also database details and URLs to LG-LED Solutions, Mars Hydro and a company called Spider Farmer.
They make and sell grow lights, fans, cooling systems and other gear used for agriculture. Mars Hydro is based in Shenzhen, China, with warehouses in the U.S., U.K. and Australia.
So, why was an agriculture company collecting all this data and storing it all in an unsecured database? Probably because it’s the last place someone might look.
- Over 100 million Wi-Fi network names (SSIDs) with passwords
- IP addresses
- Device ID numbers
- All the devices connected to these Wi-Fi networks, including make, models and other details
- App error logs
When Fowler spotted the Mars Hydro code and asked if the app was involved, LG-LED dodged the question. Their only response? “This app is the official product of Mars Hydro.” Translation: They’re not denying it.
The Mars Hydro app page for Google Play (Android) shows over 10,000 downloads and an abysmal 1.9-star rating. I didn’t spot a single rating on the iPhone App Store, which is common for apps that aren’t all that popular.
Interestingly, the privacy section says no data is collected and nothing is shared with third parties. Well, we already know they lied about at least one of those things. The app store shows the same thing: “The developer does not collect any data from this app.”
Once the vulnerability was reported, the database was locked down. You can bet there are copies of the database floating around the Dark Web. But there’s a bigger picture here. This is not just about one bad data breach. It’s about negligence in the IoT industry.
Data brokers are cashing in, but you can stop them
© LagartoFilm | Dreamstime.com, © Lane Erickson | Dreamstime.com
Everyone wants your Social Security number. Some requests are legit, like when you’re starting a new job, applying for a loan or verifying your identity.
But countless others, from data brokers to scammers, are after your nine-digit code, too. In fact, an estimated 2,400 data brokers operate in the U.S., collecting and selling billions of personal records, often without your knowledge. Some even offer “credit header data,” which includes Social Security numbers, for as little as $5 per record.
Got a letter from Change Healthcare?
Don’t trash it! Hackers stole medical records and personal info in a Change Healthcare breach. Here’s what to do.
It’s everywhere: Hackers uploaded a free survival game to Steam. PirateFi was live for a week on the super-popular gaming site, spreading malware. Today’s cybercriminals have too many tricks up their sleeves. You need real-time protection that’s smarter than they are. My pick, TotalAV, is $19 for the first year and works with Windows PCs, Macs, iPhones and Androids.
Hacked on social media? Steps to take right now
The chances of your Instagram, X, Facebook, Amazon, Threads, Rumble, Twitch or other accounts getting taken over by spammy bots and data-stealing thieves have never been higher. So, don’t sit there all smug, thinking, “Oh, Kim, that could never happen to me!”
Wait, are public phone chargers dangerous?
© Rattanachai Mokngam | Dreamstime.com
Those charging kiosks in airports, hotels and malls are so tempting when you’re out and about with a dying phone. Their owners promise they’re safe. The government disagrees, and so do I. Groan, I know.
Welcome to the newest phase of juice jacking. The phenomenon has been around for more than 10 years. Hackers use public phone-charging stations to upload malware to your devices. Then, they ransom your device or steal your passwords. Super-duper.
I’m not switching: Microsoft Edge’s new scareware blocker spots pop-ups that try to trick you into downloading malware or giving hackers remote access. Sounds great … until you realize it works by scanning every page you visit. Want real-time protection you can trust? My pick is TotalAV.
🏥 Your health, at risk: Two patient monitors that track your vitals have gaping security holes. Hackers can snoop on data, mess with settings or even assume total control. The Chinese-built models completely ignore network settings, meaning someone with the right know-how can break in. The only fix hospitals have? Unplug it and keep it off the network.
New chips mean new risks: A serious flaw in Apple gear lets hackers snag data while you’re logged into Gmail in one tab and iCloud in another. The two vulnerabilities, named “FLOP” and “SLAP,” impact Mac laptops made in 2022 or later; Mac desktops from 2023 or later; iPad Pro, Air and Mini models from September 2021 and later; and iPhone 13, 14, 15 and 16 models, plus the iPhone SE (3rd-gen). There’s no fix yet. Be extra careful and log out of your email account when you’re not using it.
Age isn’t a number; it’s a word: Several states now require you to verify your age before accessing porn. To do this, you’ll need to upload a government ID, submit a facial scan or other biometric data, or let a third party verify your identity. That sounds great, but these sites store your data, making it vulnerable to hackers and potentially exposing the fact you watched “The Boobyguard,” not “The Bodyguard.”
🚨 Botnet alert: Researchers found a botnet called “Murdoc” targeting security cameras and routers worldwide. Over 1,000 devices are compromised; AVTECH IP cameras and Huawei HG532 routers are the main targets. Once hackers take control, they can launch DDoS attacks or steal your info. Fixes are coming from the manufacturers, so keep your router (steps here) and security cams updated.
🚨 National security alert: Chinese hackers breached the U.S. Department of Treasury, gaining access to over 400 computers, including those belonging to the Secretary and other top officials. Over 3,000 files were compromised, exposing sensitive info about sanctions, law enforcement and international affairs. An investigation is underway, but this is just the tip of the iceberg.
Attention, website owners: Over 1 million WordPress sites use the SEO and optimization plugin W3 Total Cache. A new flaw lets hackers steal all kinds of sensitive info from the backend of a site. If you use the plugin, download software update 2.8.2 to patch the bug right now.
Google could stop this, but they don’t: At the top of its search results for Google Ads are fake sites that collect your real login info. Fall for one, and hackers can take over your Google Ads account to post their scam URLs — or just sell your info to other criminals. Make sure 2FA for Google Ads is on to detect strange logins. More smarts like this are coming soon in my small-biz newsletter.
Wanna play a game? Meet Pdftris, the classic Tetris game packed inside a 60KB PDF, created by security analyst Thomas Rinsma. Hit this link to play it in your browser. It’s not a visual masterpiece, but that’s part of the charm. There’s one for Doom, too. Heads-up: Don’t start downloading random PDFs; hackers love that trick.
One bad click is all it takes: Hackers have so many ways to weasel into your system. EndpointLock encrypts your keystrokes when you enter usernames, account numbers and passwords so no one can copy and steal them. It’s genius. Hit this link for 10% off.
🚌 Hackers will school you: Hackers broke into book publisher Scholastic’s employee portal and stole 8 million records, including parent, teacher and school admin names, emails, phone numbers and addresses. Some data relates to kids, too. The hackers say they won’t share the info publicly. Yeah, right.