540 Million Facebook User Records Exposed By Third Parties On Amazon's Cloud Server

05/04/2019

More than 540 million records about Facebook users were publicly exposed on Amazon's cloud computing service, according to UpGuard, a cybersecurity research firm.

It was said that two third-party Facebook app developers posted the records, causing yet another major data breach for the world's largest social media network.

According to UpGuard, a Mexico-based media company called 'Cultura Colectiva' was responsible for the biggest leak, as it exposed 146GB of Facebook user data, which consisted of users' account names, IDs and details about comments and reactions to posts.

A similar data set was also found for an app called 'At the Pool'.

While smaller, it exposed user records that include data about user IDs, friends, photos and location check-ins, as well as unprotected 22,000 passwords apparently used for the app, rather than directly for Facebook. The app was meant to help people meet up for offline activities, but has shut down in 2014.

Facebook

UpGuard said it alerted Amazon about the breaches from Cultura Colectiva back in January 2019.

However, the company took no action until Bloomberg reached out to Facebook. Quickly, Amazon secured Cultura Colectiva's S3 "storage bucket" to prevent any or further misuse. And as for the data from 'At the Pool', it went offline just before UpGuard reached out about it.

"Facebook’s policies prohibit storing Facebook information in a public database," said a spokesperson for the company in a statement.

"Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data."

The data appears to have been made publicly available by mistake, but the problem raises questions about where user information has gone to since it was collected by Facebook apps.

The companies in question aren't clear on how long the data was publicly available, or who may have obtained it from the servers, if any.

This incident puts another burden on Facebook, the social media giant that has already faced intense criticism over how the company shared user data with third parties. Most famously, the political data firm Cambridge Analytica, which worked with the Trump campaign in the 2016 election, got access to data from more than 87 million users through a seemingly innocuous quiz app.

"Data about Facebook users has been spread far beyond the bounds of what Facebook can control today," said the UpGuard researchers, who have highlighted several leaks on Amazon servers in the past.

"Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak."

Upguard also warned users about Facebook‘s previous privacy blunders that would continue: “But as these exposures show, the data genie cannot be put back in the bottle.”

Previously, Facebook said that an attack on its networks exposed information from nearly 50 million users.