Hundreds of millions of Facebook user data exposed on Amazon public servers
In yet another security breach, millions of Facebook records were left exposed on the publicly accessible Amazon’s cloud servers.
Researchers at UpGuard, a cybersecurity firm, found two separate sets of Facebook user data posted publicly on Amazon’s cloud computing servers, the company wrote in its blog post.
One dataset linked to Cultura Colectiva, a Mexico City-based media company, stored 146 gigabytes of data containing more than 540 million records on Amazon’s servers, which included comments, likes, reactions, account names, FB IDs and more. The records were accessible and downloadable for anyone who could find them online.
Similarly, another dataset linked to now-defunct Facebook-integrated app ‘At the Pool’ is said to have stored unprotected plaintext passwords for 22,000 users. While the app was shut down in 2014, UpGuard said it is unclear how long the user details were exposed, as the database became inaccessible while the company was looking into it.
“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle,” UpGuard wrote in its blog post. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”
While Facebook secured the large dataset on Wednesday after Bloomberg, who first reported the leak, contacted them, the smaller dataset was taken offline during UpGuard’s investigation.
Although Facebook did not leak this data, it did share this kind of information freely with third-party developers for years who went on to improperly store it with no scrutiny from the social media giant.
“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the UpGuard researchers wrote in its blogpost. “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security.”
Chris Vickery, Director of Cyber Risk Research at UpGuard, said, “The public doesn’t realize yet that these high-level systems administrators and developers, the people that are custodians of this data, they are being either risky or lazy or cutting corners. Not enough care is being put into the security side of big data.”
Facebook said that it was investigating the incident, including how long the data was hosted on the public servers prior to UpGuard’s findings. The company said it will notify users if they find evidence that the data was misused.
“Facebook’s policies prohibit storing Facebook information in a public database,” a spokeswoman said in a statement. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
Representatives for Amazon have yet to comment on the matter.
It should be noted that earlier on Wednesday, Facebook was caught requesting new users to share their email password in order to use the site with many security experts labeling the act as a phishing attack. Later, Facebook had stated that it would stop asking for users’ email passwords as a form of verification.