Third-party Facebook app leaked 540m user records on AWS server

Data trove thought to have been shared prior to Facebook's policy reforms

Facebook's heavily criticised app integration system has led to more than 146GB worth of data being left publicly exposed on AWS servers owned and operated by third-party companies.

It's believed 540 million records relating to Facebook accounts were stored on the servers, including comments, likes, reactions, names and user IDs, obtained when users engaged with applications on the platform - the same methods unearthed during the investigation into Cambridge Analytica.

Two apps have been associated with the data hoard so far: Cultura Colectiva, a Mexico-based media company that promotes content to users in Latin America, and At the Pool', a service that matched users with other content, which has been out of operation since 2016.

At the Pool is said to have held 22,000 passwords for its service in plaintext alongside columns relating to Facebook user IDs - the fear being that many users may have been using the same password for their Facebook accounts.

Both of the app's datasets were stored in Amazon S3 buckets which were found to be misconfigured to allow public download of the files. Despite being commonly used among businesses, as they allow data to be distributed across servers in a wide geographical area, there have been multiple incidents involving companies failing to adequately safeguard their data.

Facebooked condemned the practices of both the apps. "Facebook's policies prohibit storing Facebook information in a public database," said a Facebook spokesperson. "Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data."

AWS was made aware of the exposed data on 28 January 2019, following an alert issued by security research firm UpGuard. AWS confirmed it had received the report and was investigating it, but the data was only secured on Wednesday this week.

"AWS customers own and fully control their data," an AWS spokesperson told IT Pro. "When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here."

This statement aligns with UpGuard's in that the researchers alerted Cultura Colectiva before AWS on 10 January 2019 but have still yet to receive a response from the company.

Accenture, Experian, WWE, and the NSA have all been found to have stored data on unsecured AWS servers in recent years, with the problem becoming so prevalent that hackers have started creating tools specifically designed to target these buckets.

"While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content," said AWS. "As is the case on-premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended."

The news coincides with an article published in The Washington Post in which Facebook's Mark Zuckerberg called for a worldwide GDPR' and greater regulation on the data protection principles of big tech outside the EU, despite the company itself facing 10 major GDPR investigations.

The discovery of the data has once again raised the issue of Facebook's data sharing policies, something that facilitated the improper sharing of user data for political purposes by Cambridge Analytica. This prompted Facebook to change its sharing policies to restrict access by third-parties, although the fear is that data troves such as this have already been widely shared.

"Cambridge Analytica was the most high profile case that led to some significant changes in how Facebook interacts with third-party developers, but I suspect there are many troves of Facebook data sitting around where they shouldn't be, including this one," said privacy advocate Paul Bischoff of Comparitech.com.

"Even though Facebook has limited what information third-party developers can access, there's still nothing Facebook can do about abuse or mishandling until after the fact," he said.

Featured Resources

How to choose an AI vendor

Five key things to look for in an AI vendor

Download now

The UK 2020 Databerg report

Cloud adoption trends in the UK and recommendations for cloud migration

Download now

2021 state of email security report: Ransomware on the rise

Securing the enterprise in the COVID world

Download now

The impact of AWS in the UK

How AWS is powering Britain's fastest-growing companies

Download now

Recommended

Ransomware criminals look to other hackers to provide them with network access
ransomware

Ransomware criminals look to other hackers to provide them with network access

17 Jun 2021
CVS Health data breach leaves a billion records exposed
data protection

CVS Health data breach leaves a billion records exposed

16 Jun 2021
Four in five ransomware victims suffer repeat attacks
ransomware

Four in five ransomware victims suffer repeat attacks

16 Jun 2021
Putin open to handing cyber criminals over to US
hacking

Putin open to handing cyber criminals over to US

14 Jun 2021

Most Popular

Q&A: Enabling transformation
Sponsored

Q&A: Enabling transformation

10 Jun 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

16 Jun 2021
Millions of Volkswagen customers affected by data breach
data breaches

Millions of Volkswagen customers affected by data breach

14 Jun 2021