“Each one of these open instances is a data breach event waiting to happen and can pose critical business, legal and regulatory risks if they happen. These were open due to misconfiguration by the app developers. When Avast Threat Labs researchers looked at 180,300 publicly available Firebase apps, they found that over 10%, which is nearly 19,300 apps, were open, exposing the data to unauthenticated developers.

“These open instances put the data stored and used by the apps developed with Firebase at risk of theft.When developers use bad security practices, records can even contain plain text passwords,” Avast wrote in a blog post announcing its discovery. The researchers found out that this flaw not only affected Android apps across categories, but it also affected apps in regions worldwide including in Europe, South-East Asia and Latin America. Now, researchers at Avast Threat Labs discovered that over 19,300 Android apps were exposing user data, which includes personally identifiable information (PII) collected by the apps, such as names, addresses, location data, and in some cases even passwords, due to the misconfiguration of the Firebase database.