Millions of Facebook records found on Amazon cloud servers

Posted April 06, 2019

The social network has launched an investigation to determine whether the data was used maliciously, after it was found to contain account names, Facebook IDs, comments, likes, reactions and, in a number of cases, passwords.

Over half a billion personal Facebook records have been publicly exposed to the internet by two third party app developers, according to researchers at UpGuard. "We are committed to working with the developers on our platform to protect people's data", a Facebook spokesperson said in a statement.

Bloomberg has the story this week, outlining the latest security issue from Facebook.

"The passwords are presumably for the "At the Pool" app rather than for the user's Facebook account, but would put users at risk who have reused the same password across accounts", says Upguard.

In response to public concern for privacy, Facebook started an audit of thousands of apps and suspended hundreds of them a year ago to ensure information was not stored unsecured in public databases.

UpGuard said it sent two notification emails to Cultura Colectiva on January 10 and January 14 and never received a response. Although that exposed the details of only 22,000 Facebook users, the exposed data also included plain-text passwords.

Upguard also found a smaller data set in a separate AWS S3 instance which it says was a back up from the "At the Pool" app. That database held about 540 million records from Facebook users, mostly in Mexico and Latin America, who subscribed to the Spanish-language news and culture app. Facebook has since said it has banned third-party apps from scraping private user information.

"The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook's control", the UpGuard researchers wrote. "The password is simply no longer enough to provide a sufficient level of security in today's threat landscape".

"While Facebook may be in the news for continuing security issues, news coverage should serve as a wakeup call that organizations of all sizes can face data protection issues unless clear policies around data ownership are defined and followed". The buckets have since been secured or taken offline. While Facebook themselves have not compromised this data, they have allowed it to be freely obtained by companies with lax security measures.

As expected, a Facebook representative has already posted an official commentary on this incident.

But when the researchers checked again on 21 February they discovered the data was still not secured, and an email was to Amazon Web Services.