Security News > 2024 > March > Misconfigured Firebase instances leaked 19 million plaintext passwords
Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet by misconfigured instances of Firebase, a Google platform for hosting databases, cloud computing, and app development.
The researchers started looking on the public web for personally identifiable information exposed via vulnerable Firebase instances.
Eva told us that companies must have gone "Out of their way to store" in plain text because Firebase has an end-to-end identity solution called Firebase Authentication specifically for secure sign-in processes that do not expose user passwords in the records.
After analyzing the data from the samples, the researchers tried to warn all impacted companies of improperly secured Firebase instances and sent 842 emails over 13 days.
The new script scanned more than five million domains connected to Google's Firebase platform for backend cloud computing services and application development.
Scanning the internet for exposed PII from misconfigured Firebase instances is a follow-up of another project the researchers conducted two months ago, when, due to misconfiguration issues, they obtained admin and then "Superadmin" permissions [1, 2] on an instance of Firebase used by Chattr, an AI-powered hiring software solution.