Firebase Data Breach Exposes Sensitive User Information

Security researchers have uncovered a widespread data breach affecting over 900 websites utilizing Google’s cloud database service, Firebase. The discovery stemmed from the flawed implementation of Firebase in the AI hiring service “chattr,” enabling researchers to create a new admin account and access sensitive user data. This revelation prompted an extensive scan of the internet, revealing more than 900 misconfigured databases leaking approximately 125 million sensitive records.

The breach exposed a staggering amount of personal information, including 85 million names, 106 million email addresses, 34 million phone numbers, 20 million passwords, and 27 million billing details, all easily accessible in plaintext. Researchers suspect the actual breach scale may surpass their findings due to undiscovered misconfigurations.

Firebase-Data-breach.

After identifying the breach, researchers contacted 842 affected websites, with 85% receiving warnings. However, 9% of emails bounced, suggesting some entities remain unaware of the issue. Misconfigured databases, often a result of human error, continue to pose significant data leak risks. Firebase, a popular backend service, serves over 47,000 customers worldwide, including prominent names like Alibaba, Lyft, and Venmo.

Despite warnings, only 24% of notified websites responded and resolved the issue, while 1% engaged with researchers. A mere 0.2% offered bug bounties, highlighting the urgency for improved data security measures to mitigate such breaches.