Cybersecurity researchers have uncovered a configuration error in Firebase instances, resulting in the exposure of almost 19 million plaintext passwords.

What is Firebase?

Firebase is a popular development platform owned by Google. It provides a range of services for building and maintaining apps, including real-time databases, cloud storage, authentication, and more. Firebase’s convenience and ease of use have made it a go-to choice for many developers.

The researchers (Logykkxyzeva/Eva, and MrBruh) started looking on the public web for personally identifiable information (PII) exposed via vulnerable Firebase instances.

Eva told BleepingComputer that they found Firebase instances that had no security rules at all or were incorrectly configured and permitted read access to databases.

“Most of the sites also had write enabled which is bad,” Eva told us, adding that among these they also found a bank.

For each exposed database, Eva’s script, Catalyst, checked for the type of data available and extracted a sample of 100 records.

Buy Me A Coffee

All the details were organized in a private database that offers an overview in numbers of the sensitive user information companies expose due to improper security settings:

  • Names: 84,221,169
  • Emails: 106,266,766
  • Phone Numbers: 33,559,863
  • Passwords: 20,185,831
  • Billing Info (Bank details, invoices, etc): 27,487,924

For passwords, the problem gets worse because 98% of them, or 19,867,627 to be exact, are in plain text.

READ
LiteSpeed Cache Fixes Major Security Flaw Allowing Privilege Escalation on WordPress Sites