Three cybersecurity researchers uncovered a significant security lapse involving Firebase, a Google platform. They detected nearly 19 million plaintext passwords exposed on the public internet due to misconfigured instances of Firebase. Their extensive scan across over five million domains identified 916 websites lacking proper security rules or configured incorrectly.
The researchers’ investigation revealed alarming findings, including the exposure of over 125 million sensitive user records containing emails, names, passwords, phone numbers, and billing information. They developed a script called Catalyst to assess the vulnerability of Firebase instances, flagging those with no security rules or improper configurations. Notably, they found plaintext passwords for over 19 million accounts, a concerning discovery given Firebase’s built-in security features designed to prevent such breaches.
Despite their efforts to notify affected organizations and prompt them to address the misconfigurations, only a small fraction responded, with a quarter fixing the issues. Some companies even responded dismissively or unprofessionally to the researchers’ warnings. The largest number of exposed records, including bank account details and plaintext passwords, came from an Indonesian gambling network, indicating widespread implications of the security lapse.
