How many files are exposed in these open cloud storage buckets?

There are currently 19.6 billion files sitting openly accessible on the internet across more than 535,000 misconfigured cloud storage buckets.

What makes credential and key files the most dangerous type of exposed data?

These files often contain API keys, passwords, and access tokens that let attackers authenticate directly to protected systems without sophisticated hacking, potentially granting access to databases, cloud infrastructure, and internal networks.

Why are these cloud storage buckets publicly accessible in the first place?

They are left open due to misconfigured cloud storage settings, often caused by default settings, rushed deployments, or gaps in cloud security knowledge, and the responsible organizations may not even realize their data is exposed.

What other type of sensitive data, besides credentials, was highlighted as a serious risk in the report?

Database dumps were noted as a separate but equally serious risk, often containing user records, passwords, personal information, and transaction data.

Has a similar large-scale exposure from a single misconfiguration occurred recently?

Yes, a misconfigured analytics dashboard at FTF Live recently exposed over 22 million video chat session records, showing how a single oversight can leak massive volumes of sensitive data.

19.6 Billion Files Exposed in 535,000 Open Cloud Buckets

A new report from Mysterium VPN has put a staggering number on a problem security researchers have warned about for years: 19.6 billion files are sitting openly accessible on the internet right now, stored in more than 535,000 misconfigured cloud storage buckets that require no password, no authentication, and no hacking skill to access. Among those files are nearly 700,000 credential and key files that could hand an attacker direct access to live systems, databases, and internal infrastructure.

This is not a breach in the traditional sense. No one had to exploit a vulnerability or intercept network traffic. The data is simply open, a consequence of cloud storage configurations set incorrectly, and left that way.

Scale of the Exposure: 19.6 Billion Files, Zero Passwords

The sheer volume of exposed data is difficult to contextualize. At 19.6 billion files spread across over half a million storage buckets, this represents one of the largest documented cases of misconfigured cloud storage bucket exposure ever catalogued. These buckets span cloud platforms where organizations of every size, from solo developers to large enterprises, store application data, backups, logs, and sensitive records.

Misconfigured cloud storage is not a new problem, but the scale reported here suggests it is far from a solved one. Default settings, rushed deployments, and gaps in cloud security knowledge all contribute to buckets being left publicly readable. In many cases, the organizations responsible may not even know their data is exposed.

This mirrors patterns seen in other high-profile incidents. A misconfigured analytics dashboard at FTF Live recently left over 22 million video chat session records openly accessible, illustrating how a single infrastructure oversight can expose sensitive data at massive scale without any active attack taking place.

Why Credential and Key Files Are the Most Dangerous Leak

Of the 19.6 billion exposed files, the nearly 700,000 credential and key files represent the highest-risk category by a wide margin. These files often contain API keys, database passwords, private cryptographic keys, SSH credentials, and cloud provider access tokens.

When an attacker finds a credential file in an open bucket, they do not need to do anything technically sophisticated next. They can take those credentials and authenticate directly to the systems they protect. That could mean read and write access to a production database, the ability to spin up cloud infrastructure on someone else's account, or entry into internal systems that would otherwise be completely off-limits.

Database dumps present a separate but equally serious risk. These files often contain user records, hashed or plaintext passwords, personal information, and transaction data. A database dump from a healthcare provider, a financial platform, or an e-commerce site can contain everything an attacker needs to pursue identity theft, account takeover, or extortion.

How Cloud Misconfigurations Bypass Even VPN-Protected Networks

One of the more counterintuitive aspects of this type of exposure is that it sidesteps many of the security controls organizations rely on. VPNs, firewalls, and network access controls are designed to protect traffic moving between systems. But when data is stored in a public cloud bucket, it is not traveling through those protected networks at all. It is sitting in a location anyone with an internet connection can reach.

This means an attacker in another country, with no access to a corporate network and no ability to bypass a firewall, can still retrieve the contents of an exposed bucket by navigating directly to its public URL. The data effectively exists outside the perimeter that most organizational security tools are designed to defend.

This is why misconfigured cloud storage bucket exposure has become one of the most efficient paths for data collection by threat actors. There is no attack to detect, no unusual traffic to flag, and no intrusion to investigate. From the infrastructure's perspective, someone reading an open bucket looks identical to routine traffic.

What Organizations and Individuals Can Do Right Now

For organizations managing cloud storage, the most urgent step is a permissions audit. Every storage bucket should be reviewed to confirm it is not set to public access unless there is a deliberate, documented reason for it. Major cloud providers including AWS, Google Cloud, and Azure all offer tools to identify buckets with overly permissive access controls, and some now provide account-level settings to block all public access by default.

Beyond permissions, credential hygiene matters enormously. Credential and key files should never be stored in cloud storage buckets under any circumstances. Secrets management tools exist specifically to handle API keys, tokens, and credentials securely, keeping them out of file storage entirely.

For individuals, the risk is less about what you control and more about what organizations holding your data control. The practical steps are familiar: use unique, strong passwords for each account so a credential dump from one service cannot unlock others, enable multi-factor authentication wherever it is offered, and monitor accounts for unusual activity.

The Mysterium VPN findings are a reminder that some of the most significant data security risks do not involve sophisticated attacks at all. They involve ordinary administrative oversights that go unchecked for months or years. Auditing cloud storage hygiene is not glamorous work, but at the scale this report describes, it is some of the most consequential security work an organization can do right now.