Unlike the web which has established some security standards, the same cannot be said for our smart home devices. This is because for the most part, this is still a relatively new concept which means that it might be a while before a standard can be established and agreed upon. Unfortunately until then, we can expect vulnerabilities every now and then.
In a recent report from Limited Results (via AppleInsider), it appears that they have discovered that LIFX’s HomeKit enabled smart bulbs do not encrypt the WiFi passwords that it stores. This means that in theory, hackers could be able to see your WiFi passwords and give them access to the local network. From there they could launch a variety of attacks if they so desired.
Thankfully though, the process involved to gain access to the stored WiFi passwords requires the attacker to have physical access to the bulb, and will need to do some removal of parts to get to the logic board where the passwords are stored. This means that there is a low chance of you actually getting hacked.
However the fact that the passwords are unencrypted is a security issue by itself and should probably be addressed all the same. The researcher informed LIFX of this issue back in may 2018 but it seems that until now, the issue has yet to be resolved.