Billions of user logs from users of devices manufactured by Chinese smart home device maker Orvibo Inc. have been found online in the latest of many unnecessary data exposures.

Discovered by security researchers at vpnMentor and revealed today, the breach included data such as usernames, email addresses, passwords and location information. It was found sitting on an ElasticSearch server owned by the company that was unsecured with a password.

Worse still, vpnMentor informed Orvibo of the data breach two weeks ago and the company, at least as of the time of the report, had failed to secure the data.

Exactly how many users are affected is not clear. Orvibo, who also trades under the name of Smartmate, claims to have 1 million customers, but the actual number may be higher. The company sells its smart home devices, some of which include Alexa support built-in, on major e-commerce sites including Amazon.com Inc.

There’s no evidence to date that the data has been accessed by bad actors but given that Orvibo has failed to act on taking the data down, it’s unclear if it was accessed.

Ben Goodman, senior vice president of global business and corporate development at digital identity management firm ForgeRock Inc., told SiliconANGLE that the data encased in Orvibo’s misconfigured server is extremely specific and creates the opportunity for a malicious actor to cross-reference it with previously stolen data to create an effective credential-stuffing list.

“This is a perfect example of how a data breach at one business can open up a new cyberthreat for other organizations, something that 61% of CEOs are aware of according to PwC’s 19th Annual Global CEO Survey,” Goodman said.

Anurag Kahol, chief technology officer at cloud access security broker Bitglass Inc., expanded on the threat the exposed data poses, in particular the reuse of passwords across multiple accounts.”

“This means that if a cybercriminal obtains a single password, then they can potentially gain access to a number of accounts across multiple services that their victim uses,” Kahol explained. “It’s even plausible that a hacker could gain control over the smart devices linked to customers’ accounts in order to unlock doors and turn off security cameras, facilitating break-ins and burglaries.”

The data exposure is likely to have legal ramifications. Jonathan Bensen, chief information security officer at cybersecurity firm Balbix Inc., said that by failing to secure its European Union customers’ data, Orvibo is susceptible to penalties under the General Data Protection Regulation.

“Given the nature of this breach and the sensitive consumer data exposed, it would not be surprising to see further litigations taken on behalf of citizens in other countries, including the U.S.,” Bensen said. “As more Chinese companies expand into the U.S. without taking proper security precautions, they expose themselves to lawsuits.”

Image: Amazon