Firebase: 19 million credentials exposed due to a simple error

A serious error in the configurations of Firebase, a service offered by Google for managing databases, cloud computing and app development, led to the exposure of 19 million passwords without any protection. This incredible security flaw was discovered by a trio of cybersecurity specialists known in the digital world as Logykk, xyzeva/Eva and MrBruh. The latter conducted in-depth investigations, tracing the evident expression of 125 million sensitive data, including emails, names, contact numbers and financial details of their users.

Large-scale reconnaissance reveals poor security measures

Through an analysis involving more than 5 million web domains, it was revealed that 916 platforms, belonging to various business sectors, showed serious gaps or even absences in security precautions. The outcome of the investigation, which took approximately 1 month, was the identification of 223 million unattended records, with a substantial portion of this data leading back to the personal information of approximately 124.6 million individuals. This estimate, considered conservative by researchers, emphasizes the potential magnitude of the risk faced by users.

Unsuccessful communication and obvious case study

The team of researchers took the initiative to inform affected companies, sending 842 emails over the course of 13 days. However, only 1% responded. A notable case that emerged during the analysis was that of a well-known gambling network in Indonesia, which was found to be the largest source of vulnerable banking information, with 8 million banking records and 10 million passwords compromised.

Consequences and invitation to improve security measures

The investigation conducted by Logykk, xyzeva/Eva and MrBruh highlights the imperative need to maintain secure configurations in cloud platforms. Developers and organizations are strongly encouraged to adhere to strong security standards to prevent future data exposures and ensure user privacy is protected. This episode serves as a wake-up call for the IT industry, prompting an immediate review of security policies.