19.6 Billion Files Are Sitting Open on the Internet. No Password Required

The rapid adoption of object storage has outpaced security hygiene, leaving default permissions unchecked in hundreds of thousands of buckets. Cloud providers ship services with "public read" or "list" toggles that, when left enabled, broadcast every file name and content URL to the internet. As organizations migrate legacy workloads and backup scripts to the cloud, the sheer volume of assets makes manual verification impractical, turning a single mis‑set flag into billions of exposed records.

When credential files such as .env or .kdbx become publicly reachable, attackers harvest database usernames, passwords and API keys in seconds. Those secrets unlock full database dumps—often .sql or .bak files—that contain raw customer records, plain‑text passwords and financial details. The attack chain is trivial: locate a key file, use its contents to download a dump, crack hashes offline, and pivot into compromised accounts or internal systems. This low‑skill, high‑reward scenario dramatically widens the threat surface for any firm that stores sensitive data in cloud buckets.

Mitigating the risk requires a shift from ad‑hoc checks to continuous, automated compliance. Enterprises should enforce "private by default" policies, encrypt all backups, and employ third‑party scanners that mimic attacker behavior to flag publicly listable buckets. Cloud‑native tools like AWS Config, Azure Policy and Google Cloud Asset Inventory can auto‑remediate misconfigurations, while secret‑management solutions keep keys out of object storage entirely. As regulators tighten data‑privacy mandates, proactive bucket hygiene will become a core component of cyber‑risk governance, protecting both businesses and their customers from inadvertent data spills.