2 min Security

Almost 19 million passwords exposed due to Firebase misconfigurations

Almost 19 million passwords exposed due to Firebase misconfigurations

Cybersecurity researchers recently discovered a startling security lapse involving nearly 19 million plaintext passwords exposed on the internet. Misconfigured instances of Firebase, a Google platform for hosting databases and app development, proved to be the cause.

The three researchers conducted a comprehensive scan of over five million domains. They uncovered 916 websites with inadequate security settings on Firebase. These misconfigurations allowed unauthorized access to sensitive user information, including emails, names, phone numbers, and billing details including bank information, BleepingComputer reports.

The investigation revealed almost 125 million sensitive user records. Over 98 percent of passwords were stored in plaintext, despite Firebase offering secure sign-in solutions.

The trio alerted affected companies, whose responses varied widely. While some quickly fixed the issue, others showed negligence or even mockery. Notably, an Indonesian gambling network managing nine websites displayed a dismissive attitude despite being responsible for a significant portion of the exposed records.

Over 223 million records exposed in total

The researchers’ process involved using custom scripts to analyze data and identify vulnerabilities. Ultimately, they discovered over 223 million exposed records, of which 124,605,664 related to users. The remaining records represented data associated with organizations and the tests they’ve run.

The revelation was not an isolated incident, but rather an outgrowth of a previous project undertaken by the researchers. They had exposed vulnerabilities in the Firebase instance utilized by Chattr, an AI-powered hiring software solution used by several major fast food chains in the United States.

These security breaches highlight the need for robust cybersecurity measures to safeguard sensitive user data in an increasingly digitized landscape.

Read more: Data breaches aren’t setting records anymore, but there are more victims than ever