A major security lapse has exposed the plaintext passwords and sensitive user data of 1.8 million individuals due to misconfigured Firebase instances. Discovered by cybersecurity researchers at Website Planet, the exposed data included usernames, email addresses, phone numbers, billing details and unencrypted passwords. The information was stored on open Firebase real-time databases used by over 900 mobile applications, mostly Android-based, many of which had millions of downloads. These apps spanned categories from fitness to financial services. The researchers notified Google and relevant developers, but many instances remained unsecured at the time of the report. Firebase, owned by Google, is widely used for backend app development, and its default configuration settings have previously been linked to similar incidents.
Analysis by Our Experts:
Storing plaintext passwords on open cloud databases in 2025 is not just outdated. It is reckless. This exposure did not result from a zero-day exploit or a sophisticated intrusion. It happened because basic security practices were skipped across hundreds of apps, some with millions of users. The responsibility lies both with negligent developers and with Google’s Firebase platform, which continues to allow insecure deployments by default. If cloud tools remain this frictionless for attackers, the industry needs to stop calling it innovation and start calling it liability engineering.
Read the full article here.
