CyberSecurityBoard
Sponsor Register Login

Misconfigured Firebase Instances Expose 125 Million User Records

Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn.
It all started with the hacking of Chattr, the AI hiring system that serves multiple organizations in the US, including fast food chains such as Applebee's, Chick-fil-A, KFC, Subway, Taco Bell, and Wendy's, three security researchers using the online monikers mrbruh, xyzeva, and logykk, explain.
A weakness in Chattr's Firebase implementation allowed the researchers to gain full privileges to the database by registering a new user.
They gained access to names, phone numbers, email addresses, plaintext passwords for some accounts, confidential messages, and more.
The impacted individuals, the researchers say, included employees, franchise managers, and job applicants.
By creating a new administrative account, the researchers could gain access to the admin dashboard, which provided more access to the system, including the option to refund payments.
An additional 'ghost' mode was also discovered, providing access to billing information, full control over user accounts, and the option to hire people.
Chattr addressed the issue on January 10, one day after the researchers reported it.
Next, the researchers set out to identify other web applications exposing sensitive information via misconfigured Firebase instances, and found 900 websites exposing the information of 125 million users.
The identified databases contained over 80 million names, over 100 million email addresses, more than 33 million phone numbers, and over 20 million passwords, along with more than 27 million billing info entries.
According to the researchers the total number of exposed records could be much higher.
Some of the affected websites include Silid LMS, a learning management system exposing data on 27 million users, Lead Carrot, a generator for cold calling exposing 22 million users' details, MyChefTool, a business management and PoS application for restaurants exposing 14 million names and 13 million emails, as well as an online gambling network of nine sites exposing roughly 8 million bank account details.
The researchers say they have tried to contact 842 websites, but only 85% of their emails got through.
One quarter of the sites addressed the misconfiguration and 1% emailed back.


This Cyber News was published on www.securityweek.com. Publication date: Tue, 19 Mar 2024 10:43:06 +0000


Cyber News related to Misconfigured Firebase Instances Expose 125 Million User Records

CVE-2024-47696 - In the Linux kernel, the following vulnerability has been resolved: RDMA/iwcm: Fix WARNING:at_kernel/workqueue.c:#check_flush_dependency In the commit aee2424246f9 ("RDMA/iwcm: Fix a use-after-free related to destroying CM IDs"), the function ...
7 months ago Tenable.com
Misconfigured Firebase Instances Expose 125 Million User Records - Hundreds of websites misconfigured Google Firebase, leaking more than 125 million user records, including plaintext passwords, security researchers warn. It all started with the hacking of Chattr, the AI hiring system that serves multiple ...
1 year ago Securityweek.com
900+ websites Exposing 10M+ Passwords: Most in Plaintext - Over 900 websites inadvertently expose over 10 million passwords, many of which are in plaintext, alongside sensitive billing information and personally identifiable information of approximately 125 million users. This massive data exposure is ...
1 year ago Gbhackers.com
Millions of user records exposed by 900+ sites via Firebase The Register - At least 900 websites built with Google's Firebase, a cloud database, have been misconfigured, leaving credentials, personal info, and other sensitive data inadvertently exposed to the public internet, according to security researchers. Among these ...
1 year ago Go.theregister.com
Google Released AI-powered Firebase Studio to Accelerate Build, Test, & Deployment - Firebase Studio is built on the foundation of Project IDX, Genkit, and Gemini, providing a unified agentic experience that empowers developers to move faster and build more innovative applications. This innovative tool integrates the power of Gemini ...
1 month ago Cybersecuritynews.com
Electronic Frontier Foundation - We're not just talking about the ballot box, but the everyday power we all have to demand government agencies make their records and data available to public scrutiny. At every level of government in the United States, there are laws that empower the ...
1 year ago Eff.org
Data Breaches in US Schools Exposed 37.6M Records - Since 2005, educational institutions in the United States have experienced 3713 data breaches, impacting over 37.6m records. According to new data by Comparitech, 2023 marked a record year, with 954 breaches recorded - a dramatic rise from 139 in ...
1 year ago Infosecurity-magazine.com
Google takes on Cursor with Firebase Studio, its AI builder for vibe coding - Google has quietly launched Firebase Studio, which is a cloud-based AI-powered integrated development environment that lets you build full-fledged apps using prompts. According to documents seen by BleepingComputer, Firebase Studio supports many ...
1 month ago Bleepingcomputer.com
Cybersecurity Industry Gains $1.7 Billion to Develop Cutting-Edge Protection Technologies - As digital threats grow in sophistication, the cybersecurity sector has ignited a funding frenzy, with startups raising $1.7 billion in April 2025 alone ahead of the RSA Conference in San Francisco. As banks and fintechs face a 40% spike in ...
1 week ago Cybersecuritynews.com
Hackers Leak 50 Million Records in 'Free Leaksmas' Spree - Hackers leaked around 50 million records full of private information. According to cybersecurity company Resecurity, they noticed that right before Christmas Eve, various hackers released a lot of data all at once. Some of this data seemed to come ...
1 year ago Cysecurity.news
You should be worried about cloud squatting - Most security issues in the cloud can be traced back to someone doing something stupid. I do see misconfigured cloud resources, such as storage and databases, that lead to vulnerabilities that could easily be avoided. Although cloud squatting is ...
1 year ago Infoworld.com
T-Mobile pays $31.5 million FCC settlement over 4 data breaches - "With companies like T-Mobile and other telecom service providers operating in a space where national security and consumer protection interests overlap, we are focused on ensuring critical technical changes are made to telecommunications networks to ...
7 months ago Bleepingcomputer.com
Ransomware Attack Demands Reach a Staggering $5.2m in 2024 - The average extortion demand per ransomware attack was over $5.2m in the first half of 2024, according to a new analysis by Comparitech. This figure was calculated from 56 known ransom demands issued by threat actors from January-June 2024. The ...
10 months ago Infosecurity-magazine.com 8base LockBit Inc ransom Akira Qilin Medusa
China's MIIT Proposes Color-coded Contingency Plan for Security Incidents - On Friday, China proposed a four-tier classification system, in an effort to address data security incidents, underscoring concerns of Beijing in regards to the widespread data leaks and hacking incidents in the country. This emergency plan comes ...
1 year ago Cysecurity.news
TikTok fined €530 million for sending European user data to China - The Irish Data Protection Commission (DPC) has fined TikTok €530 million (over $601 million) for illegally transferring the personal data of users in the European Economic Area (EEA) to China, violating the European Union's GDPR data protection ...
2 weeks ago Bleepingcomputer.com
Secretary Fined For Accessing Scores of Patient Records - A former NHS secretary has been fined by the data protection regulator after illegally accessing the medical records of over 150 people. The Information Commissioner's Office said that a complaint was first lodged back in June 2019, after a patient ...
1 year ago Infosecurity-magazine.com
CVE-2024-4128 - This vulnerability was a potential CSRF attack. When running the Firebase emulator suite, there is an export endpoint that is used normally to export data from running emulators. If a user was running the emulator and navigated to a malicious ...
1 year ago
CVE-2018-7911 - Some Huawei smart phones ALP-AL00B 8.0.0.106(C00), 8.0.0.113(SP2C00), 8.0.0.113(SP3C00), 8.0.0.113(SP7C00), 8.0.0.118(C00), 8.0.0.120(SP2C00), 8.0.0.125(SP1C00), 8.0.0.125(SP3C00), 8.0.0.126(SP2C00), 8.0.0.126(SP5C00), 8.0.0.127(SP1C00), ...
5 years ago
BlackBerry Provides Update on Progress in Separation of Divisions and Path to Profitability - PRESS RELEASE. WATERLOO, Ontario, Feb. 12, 2024 /PRNewswire/ - BlackBerry Limited today provided an update on the previously announced process to separate its IoT and Cybersecurity businesses as standalone divisions, and drive the Company towards ...
1 year ago Darkreading.com
Biden's budget proposal boosts CISA's funding to $3b The Register - US President Joe Biden has asked Congress to approve an extra $103 million in funding for the Cybersecurity and Infrastructure Security Agency, bringing CISA's total budget to $3 billion. Biden proposed his $7.3 trillion spending plan for fiscal year ...
1 year ago Go.theregister.com
TSA U.S. No Fly List Leaked on Hacking Forum - It was recently discovered that a U.S. No Fly list, containing over 1.5 million records of banned flyers and 250,000 selectees has been found published on a hacking forum. According to BleepingComputer, its the same TSA No Fly list that was found on ...
2 years ago Heimdalsecurity.com
Threat Brief: CVE-2024-6387 OpenSSH RegreSSHion Vulnerability - On July 1, 2024, a critical signal handler race condition vulnerability was disclosed in OpenSSH servers on glibc-based Linux systems. Using Palo Alto Networks Xpanse data, we observed 23 million instances of OpenSSH servers including all versions. ...
10 months ago Unit42.paloaltonetworks.com CVE-2024-6387 CVE-2006-5051 CVE-2008-4109
Identity Crisis: 14 Million Individuals at Risk After Mortgage Lender's Data Breach - Mr Cooper, the private mortgage lender, has now admitted almost 14.7 million individuals' private data has been stolen in a previous IT security breach, which resulted in the theft of their addresses and bank account numbers, but it is estimated the ...
1 year ago Cysecurity.news Meow
23andMe confirms nearly 7 million customers affected in data leak - Nearly 7 million 23andMe customers had their profile data leaked in a cybersecurity incident in October, a company spokesperson confirmed to SC Media on Monday. The vast majority of the leaked data was scraped from the site's DNA Relatives feature ...
1 year ago Packetstormsecurity.com
British retailer M&S reportedly set to claim £100 million from insurers after cyberattack | The Record from Recorded Future News - As first reported by the Financial Times newspaper, the attack driving the insurance claim may have cost M&S more than £60 million (about $79.7 million) to date based just on the loss of its daily online sales. Although the estimate can’t ...
1 week ago Therecord.media Dragonforce

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)