Massive Data Breach: 125 Million Records Exposed Due to Firebase Misconfiguration

Introduction

Logykk, xyzeva, and MrBruh have unveiled a troubling truth: 900+ sites suffered a Firebase misconfiguration, exposing 125M user records. The records contain plaintext passwords and sensitive billing information.

Scanning for Vulnerabilities

Initially, researchers employed a Python scanner, but it proved impractical due to memory consumption issues. Subsequently, they turned to Go-based scanning, which, though expected to conclude in 11 days, actually took nearly 2 to 3 weeks, producing valuable insights.

Identifying Misconfigurations

To expedite the process, researchers compiled a shortlist of potentially affected websites and developed the "Catalyst" scanner. This tool identifies read access to Firebase collections and calculates the impact of exposed data, facilitating efficient analysis.

Uncovering Disturbing Findings

The resulting database revealed alarming statistics: 84 million names, 106 million email addresses, 33 million phone numbers, 20 million passwords, and 27 million pieces of billing information were compromised. What's more interesting, is that 98% of passwords, or 19,867,627 to be exact, are in plain text. The researchers added that these numbers should be taken with a grain of salt. Real numbers of impact can be much larger. Among the impacted sites were Silid LMS, Lead Carrot, and MyChefTool, with millions of user records exposed, underscoring the severity of the breach.

Aftermath and Response

Despite efforts to notify affected organizations, the response was modest, with only 200 misconfigurations rectified. Notably, some gambling websites attempted to downplay the issue, even offering flirtatious responses.

• 842 Emails sent over 13 days
• 85% Emails delivered
• 9% Emails bounced
• 24% of Site owners fixed the misconfiguration
• 1% of Site owners emailed us back
• 0.2% (2) Sites owners offered a bug bounty

Conclusion: Strengthening Security Posture

While data breaches may appear unavoidable, proactive measures can significantly mitigate risks. Adopting a zero-trust approach, coupled with just-in-time access architecture, offers essential protection against unauthorised access. PureID provides cutting-edge solutions, including passwordless technology and advanced authentication frameworks like ZITA. By prioritising robust cybersecurity measures and leveraging innovative solutions, organizations can bolster their defences and safeguard sensitive data in today's increasingly vulnerable digital landscape.