File Transfer Protocol (FTP) is more than 50 years old, yet it continues to be widely used on the public internet. According to a new study by Censys, about 6 million systems are currently exposing FTP services online, and nearly half of them show no signs of encryption, leaving credentials and data at serious risk.
FTP exposure in 2024: legacy protocol, modern attack surface
Censys data indicates that FTP services are visible on approximately 2.72% of all internet-facing systems. The overall number of hosts with publicly accessible FTP has been declining, dropping by roughly 40% since early 2024—from 10.1 million to 5.94 million. Even so, the remaining footprint represents a massive attack surface, often tied to business-critical or sensitive data flows.
The most alarming finding is that around 2.45 million FTP services showed no observable TLS handshake during scanning. While a missing handshake is not an absolute guarantee that encryption is never used, in practice it almost always means that FTP traffic, including usernames and passwords, is being transmitted in clear text.
Where FTP security breaks down: encryption and authentication
Lack of TLS and insecure login flows on FTP servers
Within the 2.45 million likely unencrypted FTP services, Censys highlights several high-risk patterns that directly impact security:
• 994,000 services do not support the AUTH TLS command on the scanned port, making it impossible to upgrade to an encrypted FTPS session on that endpoint.
• 813,000 servers request a password before any encrypted channel is established. In this configuration, login credentials can be intercepted anywhere along the network path, enabling straightforward credential theft.
• More than 170,000 hosts lack support for Explicit TLS altogether, meaning they cannot switch to a secure mode even when a properly configured client attempts to do so.
From a security perspective, these issues enable classic Man-in-the-Middle (MitM) attacks, large-scale harvesting of credentials, and passive eavesdropping on file contents. For organizations subject to regulations such as PCI DSS, GDPR, and sector-specific data protection rules, transmitting authentication data and files over unencrypted FTP can directly result in non-compliance and potential breaches.
Geography and providers: where unencrypted FTP is most common
The highest concentration of internet-exposed FTP hosts is in the United States, with roughly 1.2 million systems. Other leading countries include:
— China: 866,000 FTP hosts;
— Germany: 467,000;
— Hong Kong: 415,000;
— Japan: 366,000;
— France: 343,000.
From a network and provider perspective, China Unicom (CHINA169) tops the list with about 405,000 FTP hosts. It is followed by Alibaba (227,000), OVH (177,000), Hetzner (138,000), KDDI Web Communications (127,000), and GoDaddy (126,000). This distribution suggests that insecure FTP configurations are especially prevalent in mass-market hosting environments and broadband access networks, where default settings and “quick setup” wizards are common.
Most-used FTP software and the danger of default configurations
The most widespread FTP server software identified by Censys is Pure-FTPd, powering around 1.99 million services. It is followed by ProFTPD (812,000) and vsftpd (379,000), the latter being a default FTP daemon in many Linux distributions.
Microsoft IIS FTP deserves particular attention. Approximately 259,000 FTP services run on IIS, and more than 150,000 of them appear to have no encryption configured at all. Because the FTP role in Windows Server can be enabled with just a checkbox during deployment, many administrators leave it with minimal hardening and default options, unintentionally exposing weak services directly to the internet.
Across geographies, providers, and software stacks, a consistent pattern emerges: most exposed FTP servers are by-products of default or legacy configurations, rather than the result of deliberate architectural decisions. This is typical for low-cost virtual hosting, obsolete projects, and “temporary” file transfer services that were never decommissioned.
How to replace FTP securely: SFTP, FTPS, and hardening measures
Current security guidance from standards bodies and regulators is clear: unencrypted, classic FTP should no longer be used for file transfer on the public internet or within corporate environments handling sensitive data.
More secure file transfer strategies should include:
• Migrating from FTP to SFTP or FTPS. SFTP (the SSH File Transfer Protocol) runs over SSH and provides encryption and integrity by design. FTPS (FTP over TLS) adds TLS to the traditional FTP protocol. Both options are supported by most modern clients and libraries and are suitable for automated workflows.
• Enforcing Explicit TLS where migration is difficult. If a full protocol replacement is not immediately feasible, at minimum enable Explicit TLS-only mode and require encrypted connections for all accounts. Popular servers like Pure-FTPd and vsftpd support this natively and mainly require correct configuration rather than a complete software change.
• Regularly auditing exposed services. Conduct periodic scans of external attack surfaces using tools and platforms such as Censys, Shodan, or internal scanners to identify forgotten FTP instances, open ports, and insecure configurations.
• Applying least-privilege and access control. Restrict file transfer access by IP address, place FTP/SFTP services behind VPN where possible, enable multi-factor authentication (MFA), and log user actions in sufficient detail for incident investigation and anomaly detection.
Given the continued prevalence of unencrypted FTP, organizations should proactively review their infrastructure, disable legacy FTP services, and standardize on secure protocols such as SFTP or FTPS. Systematic hardening and continuous monitoring not only reduce the likelihood of data leaks and account compromise, but also help maintain compliance with modern cybersecurity and privacy requirements.
