19.6 billion files were publicly reachable across 535,480 listable buckets on AWS, Google Cloud, Azure, DigitalOcean and Alibaba, based on metadata captured in March 2026.
685,047 credential and key files, 985,645 .sql dumps and 733,040 .bak backups were exposed, meaning attackers could access live systems or download databases without exploiting any software flaw.
More than two-thirds of the exposed storage sat on AWS, which the researchers said reflects its dominant market share rather than weaker security.
The report traced the problem to basic misconfiguration—buckets set to public, backups sent to the wrong path, or secrets stored in object storage—and warned that one open bucket can chain into broader account compromise.
Mysterium VPN said the findings point to a structural cloud-security failure and urged organizations to default buckets to private, avoid storing secrets there and continuously scan for public exposure.
Beyond corporate espionage, what are the national security risks of adversaries harvesting these 19.6 billion exposed files?
With billions of files exposed, should cloud providers be held liable for their customers' simple configuration mistakes?
Can Google's new AI truly fix data leaks when the root cause is human error and poor corporate discipline?
Billions at Risk: The Systemic Cloud Misconfiguration Crisis Exposing 19.6 Billion Files
Overview
A massive cloud security crisis has led to 19.6 billion files being publicly exposed, mainly due to simple, preventable misconfigurations rather than sophisticated attacks. The core issue is human error—such as setting cloud storage buckets to 'list' instead of 'private' or accidentally placing sensitive files like .env files, which contain credentials, in public locations. These mistakes allow attackers to access entire systems. The problem highlights a fundamental flaw in cloud resource management, where a single misstep can result in widespread data exposure, emphasizing the urgent need for better configuration practices and oversight.