Over ten billion user credentials have been left exposed online thanks to unsecured databases.

This is according to NordPass. As part of in-depth research, the password manager, in partnership with a white hat hacker who scanned elasticsearch and mongoDB libraries looking for unprotected databases, discovered 9,517 unsecured databases containing 10,463,315,645 entries. This included data such as emails, passwords and phone numbers from 20 different countries.

Of the almost 10,000 unsecured databases NordPass discovered, almost 4000 were from China, with the US having 3000 unsecured databases and India having 520.

NordPass estimates that data related to 2.6 billion users could be included in the databases.

Unsecured databases are data sets stored on cloud hosting services that have not been properly secured, meaning they can be accessed by unauthorised users. This means that a cyber criminal would not even have to breach an organisation to access data, but could simply find it unprotected online.

Data repositories, such as Amazon Web Services‘s AWS S3 bucket, have led to many accidental data leaks when customers leave them public instead of private.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Finding exposed databases is also fairly straightforward, with search engines such as Censys or Shodan scanning the web for them.

Even if financial information is not included, hackers can use information found on unsecured databases to carry out phishing or social engineering attacks. The inclusion of passwords in unsecured databases also makes it easy for attackers to breach victims’ online accounts.

Unprotected databases have been the reason behind some high-profile data leaks, such the incident last year in which millions of Facebook records, including passwords, were left exposed on a public Amazon server.

Earlier this year, Verdict uncovered an unsecured server that left the personal data of 17,379 yachting industry professionals exposed.

“Every company, entity, or developer should make sure they never leave any database exposed, as this is obviously a huge threat to user data,” says Chad Hammond, security expert at Nordpass.

“Proper protection should include data encryption at rest, wire (in motion) data encryption, identity management, and vulnerability management.

“Identity management is another important step and should be used to ensure that only the relevant people in an enterprise have access to technological resources.”


Read more: We’d change AWS S3 bucket security if we had “a time machine”: AWS director.