March 19, 2024 at 07:30PM
Security researchers discovered nearly 19 million plaintext passwords exposed due to misconfigured Firebase instances, with millions of sensitive user records including emails, names, phone numbers, and billing information. The trio of researchers scanned over five million domains and found 916 websites with inadequate security rules. They alerted impacted companies and discovered a total of 223 million exposed records.
Based on the meeting notes, here are the key takeaways:
1. Three cybersecurity researchers discovered close to 19 million plaintext passwords exposed on the public internet due to misconfigured instances of Firebase.
2. They found over 125 million sensitive user records, including emails, names, phone numbers, and billing information with bank details.
3. The researchers utilized scripts to identify and extract samples of 100 records from exposed databases.
4. After analyzing the data, they attempted to alert impacted companies of the security flaws, but only a quarter of the notified site administrators addressed the misconfigurations.
5. Some organizations responded unprofessionally to the researchers’ warnings, even when presented with specific guidance on how to fix the issues.
6. The total number of records the researchers discovered in misconfigured databases is 223,172,248, with approximately 124.6 million relating to users.
7. The project stemmed from a previous incident where the researchers obtained admin and “superadmin” permissions on a misconfigured instance of Firebase used by Chattr, a hiring software solution used by major fast food chains in the United States. Despite responsibly disclosing the vulnerability, the company stopped responding to further communications.
These takeaways highlight the widespread impact of misconfigured Firebase instances and the researchers’ extensive efforts to identify and address these security issues.