Security researchers have discovered that over 900 websites using Google’s cloud database service, Firebase, have been leaking sensitive user information.
The AI hiring service “chattr” was found to have poorly implemented Firebase, allowing the researchers to create a new admin account and access sensitive data.
This discovery led them to scan the internet for similar misconfigured databases, using a custom-built tool. Their search revealed more than 900 websites that were leaking approximately 125 million sensitive data records.
According to the researchers, a massive data breach occurred, revealing 85 million names, 106 million email addresses, 34 million phone numbers, 20 million passwords, and 27 million billing details. Shockingly, all of this sensitive information was easily accessible in plaintext.
The researchers also believe that the actual scale of the breach may be much larger than their findings suggest, as there is a high possibility that they didn’t uncover all of the misconfigured sites. After discovering the breach, they contacted 842 websites, and 85% of them received a warning. However, around 9% of emails bounced.
Misconfigured databases are a major cause of data leaks today, mainly due to human error. Google Firebase is a backend service that provides cloud data storage and development tools for websites and apps.
As per 6sense, Firebase has over 47,000 customers this year, with the majority (54.25%, or 18,613) being from the United States. Some of the high-profile clients of Firebase include Alibaba, Lyft, Venmo, and The Economist.
Of those who received the notification, 24% responded and resolved the issue, 1% reached out to the researchers, and 0.2% offered a bug bounty.