The Intake Gate Your CISO Is Missing — 300 Million AI Chat Messages Were Public by Default

In January 2026, a security researcher poked at a consumer AI chat app called Chat and Ask AI and found something stupid. The Firebase Realtime Database behind it was set to public read. No token. No auth of any kind. Around 300 million private chat messages, tied to roughly 25 million users, sat there openly queryable for a long stretch before anyone flagged it and shipped a fix.

And the content was not small talk. People had typed in medical questions, legal problems, financial details, the kind of private disclosures you would not say out loud in an office. The vendor patched within hours of disclosure. That part was fine. But the window was already open, and the data was already sensitive, so the liability sticks. To the vendor, sure. Also to any company whose staff used the tool for work.

On its own this is a bad day for one app. As a pattern it is much worse. Researchers then scanned 200 iOS apps running on Firebase and found 103 of them carrying the exact same public-access mistake. More than half. So this is not one careless vendor. It is the whole category falling over.

What the misconfiguration actually looks like#

Before we get to governance, look at how trivial the failure is. Firebase Realtime Database uses security rules to gate reads and writes. The bad default that caused this breach reads like this:

1
{
2
  "rules": {
3
    ".read": true,
4
    ".write": true
5
  }
6
}

That hands any unauthenticated HTTP request full read and write over the entire database. Every message. Every username. Every session. Available to anyone who can build the right URL.

A locked-down version forces authentication and scopes each user to their own records:

1
{
2
  "rules": {
3
    "chats": {
4
      "$userId": {
5
        ".read": "$userId === auth.uid",
6
        ".write": "$userId === auth.uid"
7
      }
8
    }
9
  }
10
}

Six lines of JSON. That is the entire gap between “300 million messages exposed” and “data properly isolated.” Nobody got clever here. A default went unchecked, and that was enough.

I have led plenty of platform engagements where third-party AI tools were in scope. In every one of them, the backend access config was either unknown to the team adopting the tool, or waved off as something the vendor handled. It never was handled. The pattern does not change: teams pick AI tools on features and never look at the infrastructure underneath. Run that gap at scale and the Firebase breach is what you get. It was always coming.

The governance gap#

Firebase actually ships locked down. No reads, no writes, nothing open by default. But the setup wizard dangles a test mode with full public access for prototyping, and developers push that test config straight to production. Why? Because no review step forces anyone to close it before launch.

Most companies have grown-up intake for SaaS that touches email, CRM, or money. AI chat tools slipped right past all of it. An employee downloads one on a whim. A team brings one in without ever calling procurement. And the backend config, the thing that decides whether user data is locked or wide open, gets checked by exactly nobody on the adopting side.

Thales’ 2026 Data Threat Report puts numbers on how wide this gap runs. Only about a third of surveyed organizations say they actually know where all their data lives, and that is while AI tools are being handed broad internal access. Sixty-one percent name AI as their top data security risk. Seventy percent say the pace of AI-driven change is their single biggest security challenge. The concern is clearly there. What is missing is the bridge to control: the intake gate, the config check, the access audit. Most shops do not have it.

Risk and liability#

Liability here works on two levels.

Direct exposure. Any company whose employees ran Chat and Ask AI, or any of the other 103 broken apps, for work conversations is now looking at possible regulatory notification duties. If someone pasted in PII, protected health information, legal privilege, or financial material, that can pull in GDPR, HIPAA, state breach notification laws, or sector rules, depending on jurisdiction and how the data is classified.

Systemic exposure. Leadership gets a nastier question. If more than half of AI apps on a major backend carry the same flaw, what are the odds your own employees are using at least one of them right now? With no central AI tool inventory, you cannot answer that. And “we didn’t know” does not hold up in front of a regulator.

IBM’s 2026 X-Force Threat Intelligence Index piles on. Over 300,000 stolen ChatGPT credentials were found floating around through infostealer malware. AI chat platforms are now a prime target for credential theft. So the exposure is not just misconfigured backends. It is also compromised accounts on the platforms your people log into every day.

Blast radius#

The Firebase incident by itself is already large: 300 million messages, full chat histories, usernames, sensitive content. But the systemic read, 103 of 200 apps broken, turns it from a one-vendor story into a supply-chain problem for anyone who lets staff use third-party AI tools without checking the backend.

What pushes the risk up a tier is the compounding. Thales reports 67% of organizations name credential theft as the main attack vector against cloud. Nearly 60% have already been hit by a deepfake incident. Stack misconfigured AI backends on top of stolen AI credentials on top of missing data classification, and you get a compound exposure that no single fix can clean up.

There is a cost angle too, and it almost never makes it into the incident writeup. AI data retention you cannot measure, spread across several tools and cloud regions, quietly bloats storage and compliance spend. If you cannot even list which AI tools are holding your data, you cannot enforce data minimization or retention. Both of which regulators are leaning on harder, under GDPR and the newer US state privacy laws alike.

Control protocol: specific tooling, not generic advice#

The control framework runs in three layers: visibility, then identity enforcement, then continuous verification. Each one names the actual tooling you need, not just the principle behind it.

Layer 1 — Visibility (Days 1–7)#

Objective: Know what AI tools are in your environment. Block what you have not verified.

Network-layer blocking: Deploy a Secure Web Gateway (Cloudflare Gateway, Zscaler Internet Access, or Netskope) with a deny-by-default policy for uncategorized AI/ML SaaS domains. Maintain an explicit allowlist for approved tools only.
Endpoint-layer blocking: Push MDM policies (Intune, Jamf, Kandji) to prevent installation of unapproved AI applications on managed devices.
AI tool registry: Publish a central registry (a shared spreadsheet is adequate for Week 1; migrate to a proper SaaS inventory tool like Productiv, Zylo, or Torii for scale). Every external AI tool used for work must be listed, owner-assigned, and approved before use.
One-time backend audit of approved tools: For any approved tool using Firebase, run an open-source Firebase auditing tool (such as Baserunner) or use curl against the Realtime Database REST endpoint to confirm that unauthenticated reads are rejected:

1
# Quick check: if this returns data, the database is publicly readable
2
curl -s "https://<project-id>.firebaseio.com/.json"
3
# Secure response: {"error":"Permission denied"}
4
# Insecure response: actual database contents

Layer 2 — Identity Enforcement (Days 8–14)#

Objective: Elevate AI platforms to the same identity governance tier as your CRM and financial systems.

SSO-only access: Require SAML/OIDC integration for all approved AI tools. Configure this in your IdP (Okta, Entra ID, Google Workspace). Tools that cannot integrate with SSO are disqualified from the approved list — no exceptions.
Mandatory MFA: Enforce phishing-resistant MFA (FIDO2/WebAuthn preferred) for AI platform access via conditional access policies.
Vendor attestation: Add a backend security configuration attestation to procurement and renewal checklists. Require vendors to confirm: (1) no public-access database rules, (2) encryption at rest and in transit, (3) data residency and retention policy. This is a procurement process change, not a technical deployment.
Credential rotation: For any AI platform where credentials may have been exposed, force password rotation and revoke existing API tokens immediately.

Layer 3 — Continuous Verification (Days 15–30, then Ongoing)#

Objective: Detect vendor configuration drift and anomalous AI tool usage before they become incidents.

Automated configuration scanning: Schedule quarterly (minimum) automated checks against approved AI tool backends. For Firebase-backed tools, integrate the curl check above into your CI/CD or security scanning pipeline. For broader SaaS posture management, evaluate SSPM tools (Obsidian Security, AppOmni, Adaptive Shield).
Usage telemetry integration: Forward AI tool access logs and network-layer SWG logs into your existing SIEM (Splunk, Sentinel, Chronicle). Create detection rules for: (1) access to unapproved AI domains, (2) bulk data transfer to AI tool endpoints, (3) AI tool access from unmanaged devices.
OPA/Rego policy enforcement (for platform engineering teams): If you manage infrastructure as code, enforce AI tool backend security requirements as policy. Example OPA rule that rejects Firebase deployments with public access:

1
package firebase.security
2

3
deny[msg] {
4
    input.rules[".read"] == true
5
    msg := "BLOCKED: Firebase rules allow unauthenticated public read access"
6
}
7

8
deny[msg] {
9
    input.rules[".write"] == true
10
    msg := "BLOCKED: Firebase rules allow unauthenticated public write access"
11
}

Incident response playbook: Establish a dedicated IR playbook for third-party AI tool data exposure. Include: regulatory notification timelines by jurisdiction (72 hours for GDPR), data classification triage procedures, vendor communication templates, and employee notification protocols.

Operational friction vs. liability exposure#

The friction is real. Block unapproved AI tools and you will hear from the business units that quietly started using them to move faster. Vendor attestation slows procurement down. SSO-only access will knock out popular consumer-grade tools that teams have already gotten fond of.

The exposure is worse. Skip this control layer and your organization eats the regulatory and financial risk of every broken third-party backend, every stolen credential set, every unclassified disclosure, across every AI tool every employee has ever touched.

The math: A GDPR breach notification proceeding, counting legal counsel, forensic audit, regulator back-and-forth, and a possible fine, starts in the six figures for a mid-size enterprise. Now multiply by however many broken tools your people may have used. Set that against the cost of one Secure Web Gateway policy update and a procurement checklist revision.

If you run anything in a regulated environment, there is nothing to debate. Control is the only posture you can defend.

Executive verdict: adopt and enforce#

The Firebase misconfiguration is not a fluke. It is a confirmed, systemic failure across more than half of the apps tested in this category. The fix is not one more security product. It is operational discipline with specific, auditable controls behind it.

Gate the AI tools before they reach your employees. Verify the backend config before you approve anything. Hold AI platforms to the same identity governance you already demand from your CRM and financial systems.

The companies that come through the next wave of AI-driven breaches will not be the ones with the fattest security budgets. They will be the ones with the most ruthless intake. The gate before the tool. The review before the deployment. The registry before the incident.

The Monday morning directive#

Executives do not sit there auditing Firebase instances by hand. They tell their teams to. If you are forwarding this brief to your CISO, Head of Infrastructure, or IAM lead, attach this exact mandate:

“Review the attached brief on the systemic backend misconfigurations in AI chat apps. By EOD Wednesday, I need: 1. A verified list of all third-party AI chat tools currently accessed from our network — pull SWG/proxy logs for the last 90 days. 2. Confirmation of whether each tool is gated behind SSO and MFA, and whether any use Firebase or similar BaaS backends. 3. An execution plan to block unapproved tools at the MDM and network layer by end of next week, and a procurement checklist update requiring backend security attestation for all AI tool renewals.”

Vladimir Mikhalev

Docker Captain · IBM Champion · AWS Community Builder

The Verdict — production-tested analysis on YouTube.

YouTube GitHub LinkedIn