Over ten billion user credentials have been left exposed online thanks to unsecured databases.

This is according to NordPass. As part of in-depth research, the password manager, in partnership with a white hat hacker who scanned elasticsearch and mongoDB libraries looking for unprotected databases, discovered 9,517 unsecured databases containing 10,463,315,645 entries. This included data such as emails, passwords and phone numbers from 20 different countries.

Of the almost 10,000 unsecured databases NordPass discovered, almost 4000 were from China, with the US having 3000 unsecured databases and India having 520.

NordPass estimates that data related to 2.6 billion users could be included in the databases.

Unsecured databases are data sets stored on cloud hosting services that have not been properly secured, meaning they can be accessed by unauthorised users. This means that a cyber criminal would not even have to breach an organisation to access data, but could simply find it unprotected online.

Data repositories, such as Amazon Web Services’s AWS S3 bucket, have led to many accidental data leaks when customers leave them public instead of private.

Finding exposed databases is also fairly straightforward, with search engines such as Censys or Shodan scanning the web for them.

Even if financial information is not included, hackers can use information found on unsecured databases to carry out phishing or social engineering attacks. The inclusion of passwords in unsecured databases also makes it easy for attackers to breach victims’ online accounts.

Unprotected databases have been the reason behind some high-profile data leaks, such the incident last year in which millions of Facebook records, including passwords, were left exposed on a public Amazon server.

Earlier this year, Verdict uncovered an unsecured server that left the personal data of 17,379 yachting industry professionals exposed.

“Every company, entity, or developer should make sure they never leave any database exposed, as this is obviously a huge threat to user data,” says Chad Hammond, security expert at Nordpass.

“Proper protection should include data encryption at rest, wire (in motion) data encryption, identity management, and vulnerability management.

“Identity management is another important step and should be used to ensure that only the relevant people in an enterprise have access to technological resources.”

Read more: We’d change AWS S3 bucket security if we had “a time machine”: AWS director.