Millions of users’ data leaked through misconfigured Firebase backends

We may earn a commission for purchases made using our links.

Millions of users’ data have been leaked because of misconfigured Firebase backends, according to a report from Appthority. Around 113GB of data over 2,271 databases were exposed publicly as a result of being misconfigured. Firebase is a Backend-as-a-Service offering by Google which was reported to be the fastest growing SDK in 2017. The service is hugely popular among the top Android developers. It provides cloud messaging, push notifications, databases, analytics, advertising and a lot more that developers can utilize, all powered by Google’s high-performance servers. However, it seems that many developers are misusing it.

According to the report, starting in January 2018, researchers scanned mobile apps which utilize Firebase for their back-end functionality. After scanning a little over 2.7 million iOS and Android applications, they found that around 28 thousand of these used Firebase. Of those apps, some 3,000 were leaking their data in a publicly viewable database that could be found by monitoring the app’s communication with a server. What’s more, the total downloads of these 3,000 applications exceeded 620 million, suggesting some very high-profile applications are possible offenders too. The types of data that were leaked are below.

2.6 million plaintext passwords and user IDs

4 million+ PHI (Protected Health Information) records (chat messages and prescription details)

25 million GPS location records

50 thousand financial records including banking, payment and Bitcoin transactions

4.5 million+ Facebook, LinkedIn, Firebase, and corporate data store user tokens

At present, there’s no way to tell whether your data has also been leaked, but it’s always safest to assume the worst so you should act accordingly. Appthority claims that they notified Google prior to publishing the report, providing the list of affected applications along with the links to the publicly viewable databases.

We can only hope that the list of applications will be released later, as currently users are left in the dark as to whether their information is publicly viewable or not. While presumably trustworthy, eyes from both Google and the researchers will have seen the data. We recommend changing your passwords as a precaution until we find out more information.