When a web server is not properly configured, it may display a "directory listing" (an index) of all the files in a folder instead of a webpage.
The breach presents severe risks across multiple attack vectors. Account takeovers become trivial for services lacking two-factor authentication, potentially leading to identity theft and financial fraud. Corporate and government implications are particularly concerning — databases containing business credentials and government accounts could facilitate corporate espionage, ransomware deployment, or unauthorized access to sensitive state networks.
Exposed credentials provide a rich source for highly targeted phishing. Attackers can use real passwords and account details to craft convincing fake emails, claiming, for example, that there was suspicious activity on the Facebook account and asking for verification. Since the attacker already knows real data points, the phishing attempt becomes far more credible and successful.