I picked 35 random Firebase project IDs from public GitHub repos this morning and probed each for publicly readable Firestore collections. No auth, no special tools — just plain GET requests to firestore.googleapis.com . 8 of them — 23% — returned data to an anonymous request. Here's the raw breakdown: Collection # of projects leaking users 4 products 3 posts 2 messages 1 profiles 1 orders 1 12 leaks across 8 projects in a 35-sample slice. How is this possible? Firebase apps bundle a firebase-config.js into every web build. That config contains the project ID. The project ID is not secret — it's in the URL, in the JS bundle, in any .env.example somewhere. The actual security boundary is your firestore.rules file. If your rules look like this: service cloud . firestore { match / databases / { database } /documents { match / { document =** } { allow read , write : if true ; } } } Enter fullscreen mode Exit fullscreen mode …anyone in the world with your project ID can read every document in every collection.…