Security Oversight Exposes 19 Million Passwords in Firebase Instances, Unencrypted

Cyber Attack

Three cybersecurity researchers recently uncovered a staggering data breach, revealing close to 19 million plaintext passwords left vulnerable on the public internet. The breach stemmed from misconfigured instances of Firebase, a Google platform utilized for hosting databases, cloud computing, and app development.

Conducting a comprehensive scan of over five million domains, the trio identified 916 websites from various organizations lacking proper security measures or incorrectly configured settings. This oversight led to the exposure of more than 125 million sensitive user records, including emails, names, passwords, phone numbers, and billing information containing bank details.

The researchers, known as Logykk, xyzeva/Eva, and MrBruh, meticulously combed through publicly accessible data, utilizing Eva's Catalyst script to assess the scope of the breach. Shockingly, their findings revealed that a staggering 98% of the exposed passwords—totaling 19,867,627—were stored in plaintext, a highly insecure practice.

Upon discovery, the researchers diligently attempted to alert affected organizations by sending 842 emails over 13 days. Despite their efforts, only a fraction of site owners responded, with a mere quarter taking action to rectify the misconfigurations within their Firebase platforms.

Among the impacted entities, some were forthcoming with bug bounty offers, albeit modest ones. However, encounters with certain organizations proved less than cooperative, with one Indonesian gambling network displaying outright disregard for the severity of the issue.

The scale of the breach is staggering, with a total of 223,172,248 records exposed, including sensitive user data and organizational information. Despite this alarming figure, the researchers caution that it may underestimate the true extent of the breach.

This investigation follows a prior project where the researchers uncovered vulnerabilities in Firebase instances used by Chattr, an AI-powered hiring software solution utilized by prominent fast-food chains in the United States. Despite responsibly disclosing the flaw to Chattr, subsequent communications were met with silence.

The magnitude of this breach underscores the critical importance of robust cybersecurity measures and diligent oversight in safeguarding sensitive data from unauthorized access and exploitation.