Researchers Found 19.6 Billion Files Sitting Open in Public Cloud Buckets, No Password Required
On May 28, 2026, Security Affairs reported a Mysterium VPN study that found 19.6 billion files exposed across 535,480 publicly listable cloud buckets, including more than a million files each named 'password' and 'passport.' The files were reachable by anyone, with no login. Browser-based tools never put a file in a bucket to begin with.
VaultTools · June 2, 2026
Photo on Unsplash
Table of Contents
- What the researchers found
- How the files were exposed
- What is sitting in the open
- A configuration mistake, not a hack
- Why this matters
- Sources
What the Researchers Found
On May 28, 2026, Security Affairs reported on a study by Mysterium VPN that scanned the public face of the world’s cloud storage. The researchers counted 19.6 billion files sitting in 535,480 publicly listable cloud buckets. None of those files required a password, a login, or an exploit to read. Anyone who found the address could open them.
This is not a single company’s breach. It is a snapshot of how much sensitive data is left reachable across the internet at any given moment, spread across thousands of organizations that each made the same small mistake.
How the Files Were Exposed
The files were stored in cloud buckets, the storage containers offered by services like Amazon S3, Google Cloud, Azure, DigitalOcean, and Alibaba. According to the report, roughly two-thirds of the exposed storage sat on Amazon Web Services.
A bucket is private by default, but a single setting flips it open to the public. When that happens, every file inside becomes a web address that anyone can request. The Mysterium VPN team did not break into anything. They analyzed bucket metadata from March 2026, sorting files by type and name without downloading the contents. The exposure was already there for anyone to see.
What Is Sitting in the Open
The study went beyond a raw file count and categorized what those files actually were. The findings describe a cross-section of the most sensitive data an organization holds.
- 685,047 credential and key files, including
.envfiles, private keys, and password vaults - 985,645
.sqlfiles and 733,040.bakfiles, the database dumps and backups that contain entire user tables - 764,015 files with “secret” in the name, 250,563 with “salary,” 195,475 with “kyc,” and 124,967 with “credentials”
- More than one million files each named “password,” “passport,” “invoice,” and “backup”
A database dump in an open bucket, the report notes, is the same data with all the guards removed, downloadable in one click and analyzable forever.
A Configuration Mistake, Not a Hack
The thread running through every one of these files is that no attacker was required. There was no stolen login, no software vulnerability, no ransomware. Each exposure came from a storage container that was supposed to be private and was left public.
That is the same failure mode behind the recent passport leaks at the Japanese hotel vendor Tabiq, the third-party UK Visa Portal, and the study-abroad platform Leverage Edu. The difference here is scale. This study shows the pattern is not a handful of unlucky companies. It is a structural condition of how files are stored once they leave a device.
Why This Matters
Every one of those 19.6 billion files was uploaded somewhere. A user sent a passport scan to verify an account, a company pushed a backup to the cloud, a developer committed a secrets file. The moment a file lands in a bucket, its safety depends on a setting staying correct, on a backup policy staying tight, and on every person with access never making a mistake. The study shows how often that chain breaks.
Tools that process files locally remove the upload step entirely. With VaultTools, a passport scan, a bank statement, or a PDF is handled inside your browser, and the bytes never travel to a server. You can crop an ID, compress a document, strip metadata, or merge a PDF without any file ever leaving your machine. There is no bucket to misconfigure, no backup to leak, and no third party to trust. A file that is never uploaded cannot end up in an open bucket.