The target: Firebase, a Backend-as-a-Service offering from Google that is marketed towards mobile app developers .
The take: Over 100 million records from thousands of mobile apps, including plaintext user id & password combinations, GPS location records, financial records, health records and session tokens.
The attack vector: Security researchers discovered that the default configuration for Firebase databases does not secure data or require authentication, allowing unauthorized third parties to view and exfiltrate application data.