CyberSecurityBoard
Sponsor Register Login

Misconfigured Firebase Instances Expose 125 Million User Records

Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn.
It all started with the hacking of Chattr, the AI hiring system that serves multiple organizations in the US, including fast food chains such as Applebee's, Chick-fil-A, KFC, Subway, Taco Bell, and Wendy's, three security researchers using the online monikers mrbruh, xyzeva, and logykk, explain.
A weakness in Chattr's Firebase implementation allowed the researchers to gain full privileges to the database by registering a new user.
They gained access to names, phone numbers, email addresses, plaintext passwords for some accounts, confidential messages, and more.
The impacted individuals, the researchers say, included employees, franchise managers, and job applicants.
By creating a new administrative account, the researchers could gain access to the admin dashboard, which provided more access to the system, including the option to refund payments.
An additional 'ghost' mode was also discovered, providing access to billing information, full control over user accounts, and the option to hire people.
Chattr addressed the issue on January 10, one day after the researchers reported it.
Next, the researchers set out to identify other web applications exposing sensitive information via misconfigured Firebase instances, and found 900 websites exposing the information of 125 million users.
The identified databases contained over 80 million names, over 100 million email addresses, more than 33 million phone numbers, and over 20 million passwords, along with more than 27 million billing info entries.
According to the researchers the total number of exposed records could be much higher.
Some of the affected websites include Silid LMS, a learning management system exposing data on 27 million users, Lead Carrot, a generator for cold calling exposing 22 million users' details, MyChefTool, a business management and PoS application for restaurants exposing 14 million names and 13 million emails, as well as an online gambling network of nine sites exposing roughly 8 million bank account details.
The researchers say they have tried to contact 842 websites, but only 85% of their emails got through.
One quarter of the sites addressed the misconfiguration and 1% emailed back.


This Cyber News was published on www.securityweek.com. Publication date: Tue, 19 Mar 2024 10:43:06 +0000


Cyber News related to Misconfigured Firebase Instances Expose 125 Million User Records

CVE-2024-47696 - In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs"), the function ...
1 month ago Tenable.com
Misconfigured Firebase Instances Expose 125 Million User Records - Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn. It all started with the hacking of Chattr, the AI hiring system that serves multiple ...
8 months ago Securityweek.com
900+ websites Exposing 10M+ Passwords: Most in Plaintext - Over 900 websites inadvertently expose over 10 million passwords, many of which are in plaintext, alongside sensitive billing information and personally identifiable information of approximately 125 million users. This massive data exposure is ...
8 months ago Gbhackers.com
Millions of user records exposed by 900+ sites via Firebase The Register - At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers. Among these ...
8 months ago Go.theregister.com
Electronic Frontier Foundation - We're not just talking about the ballot box, but the everyday power we all have to demand government agencies make their records and data available to public scrutiny. At every level of government in the United States, there are laws that empower the ...
8 months ago Eff.org
Data Breaches in US Schools Exposed 37.6M Records - Since 2005, educational institutions in the United States have experienced 3713 data breaches, impacting over 37.6m records. According to new data by Comparitech, 2023 marked a record year, with 954 breaches recorded - a dramatic rise from 139 in ...
6 months ago Infosecurity-magazine.com
Hackers Leak 50 Million Records in 'Free Leaksmas' Spree - Hackers leaked around 50 million records full of private information. According to cybersecurity company Resecurity, they noticed that right before Christmas Eve, various hackers released a lot of data all at once. Some of this data seemed to come ...
10 months ago Cysecurity.news
You should be worried about cloud squatting - Most security issues in the cloud can be traced back to someone doing something stupid. I do see misconfigured cloud resources, such as storage and databases, that lead to vulnerabilities that could easily be avoided. Although cloud squatting is ...
11 months ago Infoworld.com
T-Mobile pays $31.5 million FCC settlement over 4 data breaches - "With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to ...
2 months ago Bleepingcomputer.com
Ransomware Attack Demands Reach a Staggering $5.2m in 2024 - The average extortion demand per ransomware attack was over $5.2m in the first half of 2024, according to a new analysis by Comparitech. This figure was calculated from 56 known ransom demands issued by threat actors from January-June 2024. The ...
5 months ago Infosecurity-magazine.com
China's MIIT Proposes Color-coded Contingency Plan for Security Incidents - On Friday, China proposed a four-tier classification system, in an effort to address data security incidents, underscoring concerns of Beijing in regards to the widespread data leaks and hacking incidents in the country. This emergency plan comes ...
11 months ago Cysecurity.news
CVE-2024-4128 - This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious ...
7 months ago
BlackBerry Provides Update on Progress in Separation of Divisions and Path to Profitability - PRESS RELEASE. WATERLOO, Ontario, Feb. 12, 2024 /PRNewswire/ - BlackBerry Limited today provided an update on the previously announced process to separate its IoT and Cybersecurity businesses as standalone divisions, and drive the Company towards ...
9 months ago Darkreading.com
Biden's budget proposal boosts CISA's funding to $3b The Register - US President Joe Biden has asked Congress to approve an extra $103 million in funding for the Cybersecurity and Infrastructure Security Agency, bringing CISA's total budget to $3 billion. Biden proposed his $7.3 trillion spending plan for fiscal year ...
8 months ago Go.theregister.com
Secretary Fined For Accessing Scores of Patient Records - A former NHS secretary has been fined by the data protection regulator after illegally accessing the medical records of over 150 people. The Information Commissioner's Office said that a complaint was first lodged back in June 2019, after a patient ...
1 year ago Infosecurity-magazine.com
TSA U.S. No Fly List Leaked on Hacking Forum - It was recently discovered that a U.S. No Fly list, containing over 1.5 million records of banned flyers and 250,000 selectees has been found published on a hacking forum. According to BleepingComputer, its the same TSA No Fly list that was found on ...
1 year ago Heimdalsecurity.com
CVE-2018-7911 - Some Huawei smart phones ALP-AL00B 8.0.0.106(C00), 8.0.0.113(SP2C00), 8.0.0.113(SP3C00), 8.0.0.113(SP7C00), 8.0.0.118(C00), 8.0.0.120(SP2C00), 8.0.0.125(SP1C00), 8.0.0.125(SP3C00), 8.0.0.126(SP2C00), 8.0.0.126(SP5C00), 8.0.0.127(SP1C00), ...
5 years ago
Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability - On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers on glibc-based Linux systems. Using Palo Alto Networks Xpanse data, we observed 23 million instances of OpenSSH servers including all versions. ...
5 months ago Unit42.paloaltonetworks.com
Identity Crisis: 14 Million Individuals at Risk After Mortgage Lender's Data Breach - Mr Cooper, the private mortgage lender, has now admitted almost 14.7 million individuals' private data has been stolen in a previous IT security breach, which resulted in the theft of their addresses and bank account numbers, but it is estimated the ...
10 months ago Cysecurity.news
23andMe confirms nearly 7 million customers affected in data leak - Nearly 7 million 23andMe customers had their profile data leaked in a cybersecurity incident in October, a company spokesperson confirmed to SC Media on Monday. The vast majority of the leaked data was scraped from the site's DNA Relatives feature ...
11 months ago Packetstormsecurity.com
Attacks abuse Microsoft DHCP to spoof DNS records The Register - A series of attacks against Microsoft Active Directory domains could allow miscreants to spoof DNS records, compromise Active Directory and steal all the secrets it stores, according to Akamai security researchers. We're told the attacks - which are ...
11 months ago Go.theregister.com
US govt probes if ransomware gang stole Change Healthcare data - The U.S. Department of Health and Human Services is investigating whether protected health information was stolen in a ransomware attack that hit UnitedHealthcare Group subsidiary Optum, which operates the Change Healthcare platform, in late ...
8 months ago Bleepingcomputer.com
Wyden Releases Documents Confirming the NSA Buys Americans' Internet Browsing Records - PRESS RELEASE. Washington, D.C. - U.S. Senator Ron Wyden, D-Ore., released documents confirming the National Security Agency buys Americans' internet records, which can reveal which websites they visit and what apps they use. In response to the ...
10 months ago Darkreading.com
Apple-backed data breach report says 2.6 billion records leaked in 2 years - An Apple-commissioned data breach report found 2.6 billion records were stolen by hackers between 2021 and 2022. The report by MIT Professor of Information Technology Stuart Madnick, published Thursday, said breaches were up by 20% in the first three ...
11 months ago Scmagazine.com
Android game dev's Google Drive misconfig highlights cloud security risks - Japanese game developer Ateam has proven that a simple Google Drive configuration mistake can result in the potential but unlikely exposure of sensitive information for nearly one million people over a period of six years and eight months. The ...
11 months ago Bleepingcomputer.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)