A recent investigation has revealed that hundreds of websites utilizing Firebase have exposed approximately 125 million user records due to misconfiguration of security rules. This alarming discovery includes the exposure of plaintext passwords and sensitive billing information.

The investigation began after the successful breach of Chattr.ai prompted researchers to scan the entire internet for vulnerable Firebase instances. Despite facing initial challenges with memory leaks and lengthy scanning times, the team managed to compile a list of potentially affected sites.

Using a secondary scanner called Catalyst, the researchers assessed the impact of the exposed data by analyzing sample records from the affected sites. The data was then stored in a database for further analysis.

The findings reveal a staggering amount of exposed user information, including names, emails, phone numbers, passwords, and billing details. Some of the most affected websites include Silid LMS, an online gambling network, Lead Carrot, and MyChefTool.

Following the investigation, the researchers reached out to site owners to notify them of the misconfigurations. While a majority of emails were delivered and some site owners took action to secure their data, only a small percentage responded to the notifications.

This incident highlights the importance of ensuring proper security measures are in place to protect user data and prevent unauthorized access to sensitive information.


Full Stack Developer

About the Author

I’m passionate about web development and design in all its forms, helping small businesses build and improve their online presence. I spend a lot of time learning new techniques and actively helping other people learn web development through a variety of help groups and writing tutorials for my blog about advancements in web design and development.

View Articles