A day following the news concerning Orvibo, a China-based cloud computing and IoT company that sells smart home products, has leaked a database that includes billions of sensitive information of its users, including their exact geolocation. Today, the company speaks up and confirms that its database was indeed compromised and provide necessary fixes and enhancement.
“Firstly, we sincerely apologize for this issue,” said a statement posted in the company’s official Twitter, @orvibo. “Once we received the report on July 2nd, ORVIBO’s RD team took immediate action to resolve data leak vulnerability.”
Yesterday, Z6Mag reported that more than 2 million records had been compromised due to an unsecured online database that contains sensitive information, including the precise location of the devices manufactured by Orvibo.
The news follows the report published by vpnMentor, with their cybersecurity team led by Noam Rotem and Ran Locar. After posting their discovery, the researchers said that the database is still left open since the time of publication, and the number of data compromised grows by the minute.
Researchers believe that the scope of the breach includes different countries including China, Japan, Thailand, the US, the UK, Mexico, France, Australia, and Brazil as the company claims to have around a million users.
The team behind the discovery has contacted Orvibo since June 16, 2019, but failed to respond to the report, and the database is still open as of the publication of their report.
In the newly posted statement from Orvibo, they have already acted as soon as they received the information yesterday — an account that does not coincide with the claims made by the researchers that “they were contacted since mid-June,” but failed to receive a response.
Nonetheless, the company said that they have already resolved the leaked vulnerability and took actions to improve their security. This resolution has also been confirmed by vpnMentor through an email.
When asked regarding the discrepancy in the time of finding out and the time of notification, the researchers said that they made two attempts to contact the company regarding the vulnerability they discovered.
“We did contact them a first time on June 16th and a second time on June 26th. They have also been contacted by ZDNet journalist on this matter, with no response. We believe they heard about it right after we published the report, which is why it happened only on July 2nd,” a spokesperson from the company said in an email they sent to Z6Mag.
Meanwhile, while Orvibo’s spokesperson Nick Zheng from the company’s Global Sales & Marketing Team said that they are still busy sorting out the problem, further, they will provide timely updates once necessary fixes are completed. The company ensured that no other data were leaked after July 2, as the database has already been closed.
“Thanks for vpnMentor’s quick update on their related article to confirm that ORVIBO has resolved the vulnerability on July 2nd. Due to their timely report, there has no any data leak of users until now so avoiding any impact on information privacy,” Zheng added.
The company also stresses that their primary goal is to contain the breach and to prevent further incidents from happening.
“As an IoT company, ORVIBO attached great importance to users data security. ORVIBO keeps improving users data protection system,” they said.
Orvibo upgraded the encryption mechanism of passwords, enhanced the protection on users account and password resetting, and strengthened cooperation with international cyber security companies to improve system security.
Orvibo added a dedicated email for security concerns to keep efficient communication with cybersecurity specialists or cybersecurity companies worldwide. Clients, security researchers, and other relevant parties can contact the company regarding security issues through firstname.lastname@example.org.
“[We] welcome communicating with ORVIBO security & RD team to build up [more] safer internet information environment,” Zhen added.
However, the company is yet to provide further details concerning the issue; why and how it happened. Currently, affected victims of the said data breach are yet to be notified.
Updated 10:09 AM EST to include statements from vpnMentor and Orvibo.