Three security researchers recently uncovered over 900 websites with misconfigured Firebase instances, resulting in the exposure of account information from over 100 million users. The compromised data includes names, email addresses, phone numbers, passwords, and billing information.
These researchers were inspired by another security researcher, MrBruh. In January of this year, MrBruh conducted scans on hundreds of AI startups, speculating that these companies might overlook proper security measures in their rush to launch products. This led MrBruh to develop a script to search for leaked Firebase credentials. To their surprise, they discovered a misconfiguration in the AI recruitment system called Chattr.ai, allowing them to access the Chattr.ai backend Firebase database with full read and write permissions simply by registering their own Firebase account.
Chattr.ai assists numerous chain restaurants in the United States, including Applebees, KFC, Taco Bell, and Wendy’s, in finding part-time workers. As a result, MrBruh gained access to employee, franchise manager, and job seeker information, including names, phone numbers, email addresses, passwords, store locations, and conversation records.
HackersBait previously analyzed this misconfiguration incident, pointing out that the Firebase configuration of Chattr.ai lacked proper authentication and access controls, leading to the breach.
After the news of MrBruh’s compromise of Chattr.ai surfaced, three researchers, known by the aliases mrbruh, xyzeva, and logykk, decided to conduct a large-scale scan of misconfigured Firebase databases. The scan revealed that 900 websites still had this vulnerable configuration, exposing a total of 124 million records, 84 million names, over 100 million email addresses, 33 million phone numbers, 20 million passwords, and more than 27 million billing information.
Among the exposed data, the educational management platform Silid LMS had information from 27 million users exposed, while an online gambling website exposed 8 million bank account details and 10 million plaintext passwords.
Subsequently, the three researchers sent 842 emails to the affected websites, with an 85% success rate of delivery. However, only 24% of the websites changed their Firebase configurations, and only 1% responded to the emails. Two websites offered bug bounty rewards for the discovered vulnerabilities.