Hundreds of Google Firebase websites might have leaked data online

News
By published

Sensitive data was sitting in plaintext

An abstract image of a cloud raining data.
(Image credit: Pixabay)

Another day, another misconfigured database leaking sensitive user information to the internet - but this time around, it's a big one - more than 900 websites using Google’s cloud database service, Firebase.

As reported by The Register, researchers with aliases mrbruh, xyzeva, and logykk, recently found that the AI hiring service “chattr” poorly implemented Firebase, and as a result, they were able to create a new admin account and access sensitive data stored there.

This inspired them to scan the internet for similar instances, using a custom-built tool. They found “more than 900” websites leaking roughly 125 million sensitive data records.

More sites lurking in the dark

These records included 85 million names, 106 million email addresses, 34 million phone numbers, 20 million passwords, and 27 million billing details. More than enough for years of wire fraud, identity theft attacks, and more. All of the data was obtainable in plaintext.

The researchers added that while the findings might sound disastrous, the reality is probably even worse, as there is a good chance they did not find all of the misconfigured sites. In the weeks following their discovery, they managed to reach out to 842 websites, of which 85% apparently received the warning. Nine percent of emails bounced. 

Of those that got the notification, 24% reacted and fixed the issue, one percent reached back to the researchers, and 0.2% offered a bug bounty. 

Firebase is a backend service that offers cloud data storage and development tools for websites and apps. According to 6sense, Firebase has more than 47,000 customers this year, with the vast majority - 54.25% (18,613) - being from the United States. Some of its high-profile clients include Alibaba, Lyft, Venmo, and The Economist.

Misconfigured databases are one of the biggest causes of data leaks these days, as they mostly happen due to human oversight.

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Cartoon Phishing
One of the largest data leaks ever sees info on 1.5 billion people leaked online
Data leak
AI development service Builder.ai potentially exposed over 1TB of user data
Data leak
Popular online bill paying site leaks data of thousands of users
A person using DeepSeek on their smartphone
DeepSeek security breach - critical databases exposed, more than one million records reportedly leaked
Suitcase next to a bed in a hotel
Millions of hotel users see personal info checked out in huge data leak
Shadowed hands on a digital background reaching for a login prompt.
Private API keys and passwords found in AI training dataset - nearly 12,000 details leaked
Latest in Security
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
AI agents can be hijacked to write and send phishing attacks
China
Volt Typhoon threat group had access to American utility networks for the best part of a year
Abstract image of cyber security in action.
MassJacker malware targets those looking for pirated software
Latest in News
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before
Super Mario Odyssey
ChatGPT is the ultimate gaming tool - here's 4 ways you can use AI to help with your next playthrough
More about security
Email

Over 90% of Americans demand a "right-to-disconnect" law which would protect them from out-of-hours work communication
A hand holding an iPhone with the iCloud logo on screen.

"I have nothing to hide" - our readers react to Apple getting secret hearing in appeal against UK government
diamond gemstone

Diamond set to become mainstream coolant for AI GPU servers as world’s best thermal conductor promises 25% better overclocking, and 'double performance per watt'
See more latest
Most Popular
diamond gemstone
Diamond set to become mainstream coolant for AI GPU servers as world’s best thermal conductor promises 25% better overclocking, and 'double performance per watt'
Zuckerberg Meta AI
Meta powers ahead with conscious chip uncoupling with Nvidia as it tests its first in-house training AI-PU
Email
Over 90% of Americans demand a "right-to-disconnect" law which would protect them from out-of-hours work communication
A super close up image of the Google Gemini app in the Play Store
It's official: Google Assistant will be retired for phones this year, with Gemini taking over
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Sunday, March 16 (game #378)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 16 (game #1147)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Sunday, March 16 (game #644)
Gachapon Capsure Station
Somewhere in Japan is a dispenser where you can buy toy rack servers complete with cute Dell PowerEdge 2U servers
An angry Mark Grayson flying towards the camera in Invincible season 3 episode 7
Invincible season 4: everything we know so far about the hit Prime Video show's next chapter
Three iPhone 16 handsets on show
Apple could launch an iPhone 17 Ultra this year – but we've heard these rumors before