19.6 Billion Open Files Exposed on the Internet Without Password Protection
- May 29
- 3 min read
Key Findings
19.6 billion files exposed across 535,480 publicly accessible cloud storage buckets on AWS S3, Google Cloud, Azure, DigitalOcean, and Alibaba
685,047 credential and key files including .env files, private keys, and password vault databases sitting unprotected
985,645 database exports (.sql files) and 733,040 backup files (.bak) accessible without authentication
Over two-thirds of exposed storage located on AWS due to its dominance as the default cloud provider
No exploits, zero-days, or malware involved - all exposure caused by misconfiguration
Background
Mysterium VPN researchers analyzed bucket metadata captured in March 2026 across five major cloud platforms, categorizing files by type and filename without accessing any actual content. The sheer volume of publicly listable buckets and the files within them reveals a systemic problem in how organizations configure cloud storage security. Most of the 19.6 billion files are routine operational data like images and logs, but a significant portion represents sensitive material that should never be publicly accessible.
The Master Keys Sitting in Plain Sight
Among the exposed files are 685,047 credential and key files that represent direct access to live systems rather than just data theft. .env files contain passwords, API keys, and authentication tokens that applications rely on. .kdbx files are password manager vaults. These aren't interesting artifacts to researchers - they're master keys that unlock entire infrastructure. An attacker finding one .env file gains credentials to access databases, services, and systems that should be completely off-limits.
Unguarded Databases
The researchers discovered nearly 1 million database exports sitting in open buckets. A live database is protected by the application layer, with authentication, rate limiting, and query controls preventing unauthorized access. A database dump in an open bucket contains identical data but with all those guards removed. Anyone can download it with a single click and analyze the contents indefinitely offline. Customer names, addresses, order histories, support tickets, and plain-text passwords become available to whoever finds the bucket.
The Naming Convention Problem
Researchers found 764,015 files containing the word "secret," 250,563 containing "salary," 195,475 containing "kyc," and 124,967 containing "credentials." Files named "password," "passport," "invoice," and "backup" each exceeded one million instances. People don't label files this way by accident. These filenames signal exactly what attackers should be looking for when scanning open buckets.
How One Bucket Becomes a Complete Attack Kit
The real danger emerges when files connect to each other. An attacker finds an .env file in an open bucket and extracts database credentials from it. Those credentials open a .sql export in the same bucket containing customer email addresses and password hashes. Offline hash cracking follows, and many users reuse passwords across services. Compromised email inboxes reveal invoice-approval workflows, executive contacts, and password-reset links to everything else. What started as one misconfigured bucket becomes a complete attack kit requiring no technical skill beyond knowing where to look.
Why AWS Dominates the Exposure Count
More than two-thirds of exposed storage sits on AWS S3, but this reflects market reality rather than platform weakness. AWS is the default choice for most organizations worldwide, and defaults are where mistakes scale. When one platform hosts the majority of the world's cloud workloads, it inevitably hosts the majority of misconfigured ones. The lesson isn't to avoid Amazon - it's that exposure follows wherever the crowd goes.
The Root Cause: Configuration Over Compromise
There's no zero-day vulnerability or sophisticated attack in this story. Every single exposed file exists because of a setting. A bucket flipped to "list" instead of "private." A backup script pointed at the wrong path. A developer who stored an .env file in the wrong location. The structural problem is that centralization turns a single wrong toggle into a complete data spill. A credential file only becomes catastrophic when the kingdom is centralized behind it.
The Fix Requires Discipline
Organizations running cloud storage need to adopt straightforward but demanding practices. Default everything to private rather than public. Never store secrets in object storage where they can be accidentally exposed. Encrypt every backup. Scan your own infrastructure footprint the way an attacker would. The uncomfortable truth is simple: if you can list a bucket without logging in, so can everyone else.
Sources
https://securityaffairs.com/192787/security/19-6-billion-files-are-sitting-open-on-the-internet-no-password-required.html
https://x.com/securityaffairs/status/2059906655102398501
https://www.linkedin.com/posts/pierluigipaganini_196-billion-files-are-sitting-open-on-the-activity-7465672307919761408-SEyq
https://www.socdefenders.ai/item/78ac994a-db28-48e0-9610-cf3d46bd4f50

Comments