Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple data exposures caused by misconfigured back-end services, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—Insect Identifier by Photo Cam, Dog Breed Identifier Photo Cam, and Spider Identifier App by Photo—reportedly leaked more than 150,000 users’ data via a Firebase misconfiguration with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and GPS coordinates; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher MobilMinds (linked to OZI Technologies), and the developers reportedly did not respond to requests for comment.
Separately, Cybernews identified an unprotected Elasticsearch cluster exposing approximately 8.7 billion records associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained plaintext credentials and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers find threat actors and bots had accessed exposed app databases
Researchers reported signs that automated bots had discovered the exposed AI photo app databases before their investigation and that the leaked user data had already been obtained by threat actors. The app developers did not respond to requests for comment.
AI photo apps leak data from more than 150,000 users
Several popular Android AI photo identification apps published under MobilMinds, linked to OZI Technologies, exposed more than 150,000 users' data because of a misconfigured Firebase instance with weak authentication and access controls. The leaked data included email addresses, profile photos, usernames, notification tokens, and GPS coordinates.
Exposed Chinese database is secured after discovery
After researchers identified the massive Chinese data exposure, the misconfigured database was secured. Its ownership was not confirmed, but the incident was described as a major systemic privacy risk.
Chinese Elasticsearch cluster exposes 8.7 billion records
An unprotected Elasticsearch cluster associated with China exposed more than 8.7 billion records, including names, birthdates, home addresses, national ID numbers, social media identifiers, plaintext credentials, and business records. Researchers said the dataset appeared to have been assembled through long-term data aggregation and could affect hundreds of millions of people.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Privacy and data exposure incidents across consumer apps, software supply chains, and misconfigured servers
Multiple disclosures highlighted ongoing **data exposure risks** driven by misconfiguration and weak controls. Cybernews researchers reported that three photo-identification mobile apps exposed data for ~152,000 users due to **misconfigured Firebase** databases lacking authentication, leaking emails, usernames, profile photos, and **GPS coordinates**; evidence in the exposed data suggested automated scanning and prior access by attackers. Separately, a large-scale internet study found nearly **5 million** public web servers with accessible `.git` directories, including more than **250,000** instances exposing `.git/config`, which can contain deployment credentials and enable source-code reconstruction, secret theft, and follow-on compromise. In parallel, **software supply-chain abuse** targeted the dYdX ecosystem via malicious packages on **npm** and **PyPI** that stole wallet seed phrases and other credentials; one PyPI package also reportedly deployed a **remote access trojan** enabling code execution and theft of API credentials, SSH keys, source code, and other sensitive files, with potential for persistence and lateral movement. Separately from these incident reports, Google announced privacy-focused search features aimed at faster removal of **non-consensual explicit imagery** (including deepfakes) and expanded monitoring via *Results about you* to help users detect and request removal of exposed government ID numbers—positioned as a protective measure rather than a breach disclosure.
Mar 21, 2026
Massive Data Exposure via Misconfigured Elasticsearch Server Containing 6 Billion Records
A misconfigured Elasticsearch server, believed to be operated from Russia or a Russian-speaking country, was discovered leaking over 6.19 billion records to the public internet without any authentication or password protection. The exposed server contained a massive trove of 1.12 terabytes of data, including records collected from both disclosed and undisclosed data breaches, as well as information obtained through website scraping. Among the most sensitive data found were records from Ukrainian bank Accordbank, which included users’ full names, birthdates, birthplaces, addresses, phone numbers, national ID numbers, passport numbers, and tax codes. Independent cybersecurity researcher Anurag Sen was the first to identify the exposed server and report its existence to the media. The server’s index information confirmed the scale of the exposure, with over 6.19 billion records available for anyone to access. Screenshots from the server revealed that the data was stored in JSON format and included detailed personally identifiable information (PII) from various sources. The database also contained files referencing Accordbank, which were later observed being peddled by the user "tRex_Prime" on DarkForums, indicating that the data may have already been accessed and distributed by other threat actors. The leak included not only banking and contact information but also records from other breaches and data scraped from websites, making the exposure particularly broad and damaging. The server was eventually taken offline, but it remains unclear how long the data was accessible or how many unauthorized parties may have downloaded the information. Previous incidents involving hacking groups such as ShinyHunters and Nemesis were also mentioned, as they had leaked stolen data and hacking tools from other exposed cloud storage resources in the past. The incident highlights the ongoing risks associated with misconfigured cloud infrastructure and the potential for large-scale data aggregation to amplify the impact of breaches. Security experts warn that such exposed databases are prime targets for cybercriminals seeking to exploit PII for identity theft, fraud, and further attacks. The presence of both old and new breach data, as well as scraped information, demonstrates the evolving tactics of threat actors in collecting and monetizing sensitive information. Organizations are urged to regularly audit their cloud configurations and monitor for unauthorized data exposures to prevent similar incidents. The scale and sensitivity of the leaked data underscore the urgent need for improved security practices in managing large datasets, especially those containing PII from multiple sources. The incident serves as a stark reminder of the consequences of failing to secure cloud-based data storage and the far-reaching impact such exposures can have on individuals and organizations worldwide.
Mar 21, 2026
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026