Molekule did not disclose air purifier data vulnerability

⚠️ Article status notice: This article has been marked as incomplete

This article needs additional work for its sourcing and verifiability to meet the wiki's Content Guidelines and be in line with our Mission Statement for comprehensive coverage of consumer protection issues. In particular:

Currently the only source discussing this is the researcher's vulnerability report.

This notice will be removed once the issue/s highlighted above have been addressed and sufficient documentation has been added to establish the systemic nature of these issues. Once you believe the article is ready to have its notice removed, please visit the Moderator's noticeboard, or the discord and post to the #appeals channel.

Learn more ▼

In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that could expose data from approximately 100,000 devices worldwide. The vulnerability allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline, however Molekule made no active attempt to disclose the vulnerability to users who may have been affected by it, and told the researcher that he did not have permission to disclose the vulnerability, even after the researcher refused to sign an NDA which would have barred him from discussing it. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or notify customers. The researcher published his report on 30 Jan 2026.^[1]

Background

Molekule is a consumer electronics company that manufactures internet-connected air purifiers. The company's products connect to the internet via WiFi and communicate with cloud-based servers, allowing users to monitor and control their devices through a mobile application. Like many Internet of Things (IoT) devices, Molekule's air purifiers transmit operational data such as air quality readings, device status, and network information, to the company's servers on an ongoing basis.^[1]

Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.^[2] AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.^[3]

Vulnerability discovery and details

On 25 October 2025, a security researcher identified a vulnerability in Molekule's cloud infrastructure while analysing the code contained within the company's official Android application.^[1]

Hardcoded credentials in the mobile application

According to the researcher's report, the Molekule Android application contained hardcoded configuration details — including cloud service identifiers, API endpoints, and third-party service keys — embedded directly within the application's source code. The researcher stated that these details were accessible to anyone who downloaded and examined the application file, and included configurations for the company's production, integration, and development environments.^[1]

Unauthenticated access to device data

The researcher reported that Molekule's AWS Cognito Identity Pool was configured to permit access without any form of authentication. AWS documentation describes this as "guest access," a feature intended for applications that allow users to interact without logging in.^[2] In Molekule's case, according to the researcher, this meant that any party could obtain temporary server credentials and connect to Molekule's device communication system without providing a username, password, or any other identifying information.^[1]

Once connected, the researcher stated that it was possible to subscribe to "wildcard" topics — a configuration that, in this case, permitted a single connection to receive data updates from all connected devices globally, rather than being restricted to a specific user's own devices. AWS's security best practices documentation recommends that IoT policies should restrict each user to publishing and subscribing only to a defined and limited set of topics.^[3] The researcher attributed the vulnerability in part to the absence of such per-device restrictions in Molekule's IoT policy configuration.^[1]

The researcher noted that the vulnerability was limited to read-only access; the exposed credentials did not permit an attacker to send commands to, or otherwise control, devices remotely. The researcher classified the vulnerability as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and described the exploitation as straightforward, requiring only basic programming knowledge and publicly available software tools.^[1]

Data exposed

According to the researcher's report, the vulnerability potentially exposed the following categories of data from approximately 100,000 devices:^[1]

WiFi network names (SSIDs), which the researcher noted often contained street addresses or business names
MAC addresses (unique hardware identifiers for each device)
User-assigned device names, which sometimes contained personal information such as room locations
Real-time sensor readings including air quality, temperature, and humidity data
Device operational data including firmware versions, serial numbers, and usage patterns
Network signal strength and connection diagnostics

The researcher stated that the combination of WiFi network names, device names, and usage timestamps could allow a third party to infer a device owner's physical location and daily routines.

Regulatory significance of exposed data

The researcher asserted that several categories of the exposed data constitute personal data under major privacy regulations. Under the European Union's General Data Protection Regulation (GDPR), Article 4(1) defines personal data broadly as any information relating to an identified or identifiable natural person, including by reference to an "online identifier."^[4] Recital 30 of the GDPR elaborates that natural persons may be associated with identifiers provided by their devices, such as internet protocol addresses and radio frequency identification tags, which may be used to create profiles and identify individuals.^[5] Legal analyses have concluded that MAC addresses of personal devices are to be considered personal data under the GDPR, following the reasoning of the Court of Justice of the European Union in Breyer v. Bundesrepublik Deutschland (Case C-582/14), which held that dynamic IP addresses can constitute personal data when a controller has the means to identify an individual.^[6]

Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.^[7]

Timeline of detection, patching, and disclosure

The researcher followed a 90-day responsible disclosure process, as is common practice within the cybersecurity industry.^[8]

Within his report, the researcher presented the following timeline of events:

Date	Event
25 October 2025	Researcher discovered and validated the vulnerability.
26 October 2025	Researcher contacted Molekule and requested a PGP key for secure communication.
29 October 2025	Molekule's security team responded.
30 October 2025	Researcher sent the full vulnerability report with a 90-day disclosure deadline.
12 November 2025	Researcher requested a status update from Molekule.
13 November 2025	Molekule offered a bounty, contingent on the researcher signing a non-disclosure agreement (NDA).
14 November 2025	Researcher declined the NDA and proposed continuing with the standard disclosure timeline. The researcher also suggested Molekule file for a CVE identifier.
19 November 2025	Molekule requested additional technical details.
20 November 2025	Researcher provided the requested information.
6 January 2026	Researcher requested a status update. No response was received.
30 January 2026	Researcher's testing indicated the vulnerability had been patched. The researcher published the full disclosure report.
1 February 2026	Molekule responded to the researcher (see Molekule's response below).

Molekule's response

According to the researcher, Molekule initially responded to the vulnerability report within three days of the researcher's outreach.^[1]

On 13 November 2025, Molekule offered the researcher a bounty in exchange for signing a non-disclosure agreement. The researcher stated that the proposed NDA would have prevented any public discussion of the vulnerability, including after a fix had been implemented. The researcher declined and proposed continuing under the standard responsible disclosure timeline.^[1]

Following an exchange of additional technical details on 20 November 2025, the researcher reported that Molekule ceased communication. The researcher's request for a status update on 6 January 2026 received no response.^[1]

On 1 February 2026, one day after the researcher's public disclosure, Molekule responded. According to the researcher, Molekule characterized the exploitation of the vulnerability as requiring "wrongful registration" and would constitute "criminal trespass" Molekule acknowledged having implemented a patch and offered a confidential meeting to verify the fix. The company also stated it did not consent to the public disclosure, despite the vulnerability affecting user data.^[1]

As of February 2026, Molekule has not issued any public statement regarding the vulnerability or indicated whether affected customers have been notified.^[1]

Consumer impact

The researcher stated that data from approximately 100,000 devices was potentially accessible through the vulnerability, and suggested it may have been exploitable for a period of years prior to its discovery. The researcher noted that there is no way to determine whether other parties independently discovered and exploited the vulnerability before it was reported.^[1]

No public information is currently available regarding whether Molekule has conducted an investigation into potential prior exploitation of the vulnerability, or whether the company intends to notify affected users. In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that potentially exposed data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or indicate whether affected customers had been notified.^[1]

References

↑ ^1.00 ^1.01 ^1.02 ^1.03 ^1.04 ^1.05 ^1.06 ^1.07 ^1.08 ^1.09 ^1.10 ^1.11 ^1.12 ^1.13 ^1.14 zuernerd (2026-01-30). "Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers". Archived from the original on 6 Feb 2026. Retrieved 2026-02-02.
↑ ^2.0 ^2.1 "Identity pools console overview". Amazon Cognito Developer Guide. Amazon Web Services. Archived from the original on 22 Dec 2025. Retrieved 2026-02-02.
↑ ^3.0 ^3.1 "Security best practices in AWS IoT Core". AWS IoT Core Developer Guide. Amazon Web Services. Archived from the original on 9 Feb 2026. Retrieved 2026-02-02.
↑ "Art. 4 GDPR – Definitions". General Data Protection Regulation (GDPR). Archived from the original on 6 Feb 2026. Retrieved 2026-02-02.
↑ "Recital 30 – Online Identifiers for Profiling and Identification". General Data Protection Regulation (GDPR). Archived from the original on 9 Dec 2025. Retrieved 2026-02-02.
↑ "WiFi-Tracking and Retail Analytics under the GDPR". TechGDPR. Archived from the original on 7 Oct 2025. Retrieved 2026-02-02.
↑ "Section 1798.140 – Definitions". Consumer Privacy Act. Archived from the original on 9 Feb 2025. Retrieved 2026-02-02.
↑ "Vulnerability Disclosure FAQ". Project Zero. Google. Archived from the original on 13 Feb 2026. Retrieved 2026-02-02.

[zuernerd-1] 1.00 ^1.01 ^1.02 ^1.03 ^1.04 ^1.05 ^1.06 ^1.07 ^1.08 ^1.09 ^1.10 ^1.11 ^1.12 ^1.13 ^1.14 zuernerd (2026-01-30). "Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers". Archived from the original on 6 Feb 2026. Retrieved 2026-02-02.

[aws-cognito-2] 2.0 ^2.1 "Identity pools console overview". Amazon Cognito Developer Guide. Amazon Web Services. Archived from the original on 22 Dec 2025. Retrieved 2026-02-02.

[aws-iot-security-3] 3.0 ^3.1 "Security best practices in AWS IoT Core". AWS IoT Core Developer Guide. Amazon Web Services. Archived from the original on 9 Feb 2026. Retrieved 2026-02-02.

[gdpr-art4-4] "Art. 4 GDPR – Definitions". General Data Protection Regulation (GDPR). Archived from the original on 6 Feb 2026. Retrieved 2026-02-02.

[gdpr-recital30-5] "Recital 30 – Online Identifiers for Profiling and Identification". General Data Protection Regulation (GDPR). Archived from the original on 9 Dec 2025. Retrieved 2026-02-02.

[techgdpr-6] "WiFi-Tracking and Retail Analytics under the GDPR". TechGDPR. Archived from the original on 7 Oct 2025. Retrieved 2026-02-02.

[ccpa-definitions-7] "Section 1798.140 – Definitions". Consumer Privacy Act. Archived from the original on 9 Feb 2025. Retrieved 2026-02-02.

[pz-faq-8] "Vulnerability Disclosure FAQ". Project Zero. Google. Archived from the original on 13 Feb 2026. Retrieved 2026-02-02.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]