540 million records on Facebook users exposed by third-party apps

Two caches of data on millions of Facebook users were recently discovered sitting unprotected on cloud-computing servers.

In one security lapse, no fewer than 540 million records on Facebook users were found lying around in the cloud. This included account IDs, names, likes, comments, and other data, reads a report from cybersecurity firm UpGuard, which found the records. The data had been collected by a Mexico-based digital publisher called Cultura Colectiva via its Facebook-integrated app.

The dataset, weighing in at 146GB, was found hiding in plain sight – on an Amazon S3 storage server with no password required. Despite being alerted to the issue multiple times since early January, both by UpGuard and Amazon, Cultura Colectiva failed to secure the server. Apparently, it was only on Wednesday – after Bloomberg contacted Facebook, which, in turn, got in touch with Amazon – that the situation was fixed.

Reuters quoted a Facebook spokesperson as saying that that the social network worked with Amazon to take down the databases as soon as it was made aware of the issue. The spokesperson also said that “Facebook’s policies prohibit storing Facebook information in a public database”.

Meanwhile, Cultura Colectiva told the news wire that all the records came from user interactions with its three pages on Facebook and represent the same information that is publicly accessible to anyone browsing those pages.

“Neither sensitive nor private data, like emails or passwords, were amongst those because we do not have access to that kind of data, so we did not put our users’ privacy and security at risk,” Cultura Colectiva was quoted as saying.

While no user passwords were mishandled in this security lapse, this was not the case with the second incident, which involved another Facebook-integrated app, called “At the Pool”. In this case, the passwords of some 22,000 people were stored in plain text by the app’s developers, along with names, email addresses, Facebook IDs, and other details.

“The passwords are presumably for the ‘At the Pool’ app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts,” said UpGuard.

The data were exposed to the public for an unknown period of time – until being taken down in the midst of the firm’s investigation into the records’ origin. The app has been inactive since 2014 and its parent company is most likely to have closed up shop.