Due to an error in Google Firebase configuration, the sensitive data of at least 900 websites, including personal information of users, was exposed to the public on the Internet. This breach led to the discovery of entries from at least 125 million users, revealing payment information and passwords in open form.
The Env.fail team conducted a scan using a tool to identify improperly configured Firebase databases over 2-3 weeks, checking 5.2 million domains. As a result, they found open data on more than 900 sites, including 85 million names, 106 million email addresses, 34 million phone numbers, 20 million passwords, and 27 million payment details.
Of the 842 site owners notified about the issues found, only 202 (24%) took action to correct the configuration errors. Surprisingly, only 8 site owners responded to the notifications, and only 2 of them offered a reward for identifying the vulnerability.
Google Firebase, a widely used cloud service for data storage, provides guidelines for data protection. However, this is not the first incident where problems have occurred due to incorrect configurations. Past incidents have involved data from 4,000 Android applications due to Firebase implementation errors.
Issues like these have been prevalent in cloud services, including Amazon AWS, until the company implemented default safe settings for customers. Nevertheless, according to OWASP, incorrect security configurations remain one of the top five most common vulnerabilities, highlighting the importance of raising awareness about security concerns among website owners.