Third-party Facebook app leaked 540m user records on AWS server

Data trove thought to have been shared prior to Facebook's policy reforms

Facebook's heavily criticised app integration system has led to more than 146GB worth of data being left publicly exposed on AWS servers owned and operated by third-party companies.

It's believed 540 million records relating to Facebook accounts were stored on the servers, including comments, likes, reactions, names and user IDs, obtained when users engaged with applications on the platform - the same methods unearthed during the investigation into Cambridge Analytica.

Advertisement - Article continues below

Two apps have been associated with the data hoard so far: Cultura Colectiva, a Mexico-based media company that promotes content to users in Latin America, and At the Pool', a service that matched users with other content, which has been out of operation since 2016.

At the Pool is said to have held 22,000 passwords for its service in plaintext alongside columns relating to Facebook user IDs - the fear being that many users may have been using the same password for their Facebook accounts.

Both of the app's datasets were stored in Amazon S3 buckets which were found to be misconfigured to allow public download of the files. Despite being commonly used among businesses, as they allow data to be distributed across servers in a wide geographical area, there have been multiple incidents involving companies failing to adequately safeguard their data.

Advertisement
Advertisement - Article continues below

Facebooked condemned the practices of both the apps. "Facebook's policies prohibit storing Facebook information in a public database," said a Facebook spokesperson. "Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data."

Advertisement - Article continues below

AWS was made aware of the exposed data on 28 January 2019, following an alert issued by security research firm UpGuard. AWS confirmed it had received the report and was investigating it, but the data was only secured on Wednesday this week.

"AWS customers own and fully control their data," an AWS spokesperson told IT Pro. "When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here."

This statement aligns with UpGuard's in that the researchers alerted Cultura Colectiva before AWS on 10 January 2019 but have still yet to receive a response from the company.

Accenture, Experian, WWE, and the NSA have all been found to have stored data on unsecured AWS servers in recent years, with the problem becoming so prevalent that hackers have started creating tools specifically designed to target these buckets.

Advertisement - Article continues below

"While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content," said AWS. "As is the case on-premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended."

The news coincides with an article published in The Washington Post in which Facebook's Mark Zuckerberg called for a worldwide GDPR' and greater regulation on the data protection principles of big tech outside the EU, despite the company itself facing 10 major GDPR investigations.

The discovery of the data has once again raised the issue of Facebook's data sharing policies, something that facilitated the improper sharing of user data for political purposes by Cambridge Analytica. This prompted Facebook to change its sharing policies to restrict access by third-parties, although the fear is that data troves such as this have already been widely shared.

Advertisement - Article continues below

"Cambridge Analytica was the most high profile case that led to some significant changes in how Facebook interacts with third-party developers, but I suspect there are many troves of Facebook data sitting around where they shouldn't be, including this one," said privacy advocate Paul Bischoff of Comparitech.com.

"Even though Facebook has limited what information third-party developers can access, there's still nothing Facebook can do about abuse or mishandling until after the fact," he said.

Featured Resources

The case for a marketing content hub

Transform your digital marketing to deliver customer expectations

Download now

Fast, flexible and compliant e-signatures for global businesses

Be at the forefront of digital transformation with electronic signatures

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

IT faces new security challenges in the wake of COVID-19

Beat the crisis by learning how to secure your network

Download now
Advertisement
Advertisement

Recommended

Visit/security/encryption/355820/k2view-innovates-in-data-management-with-new-encryption-patent
encryption

K2View innovates in data management with new encryption patent

28 May 2020
Visit/software/video-conferencing/355410/zoom-50-adds-256-bit-encryption-and-ui-refresh
video conferencing

Zoom 5.0 adds 256-bit encryption to address security concerns

23 Apr 2020
Visit/security/hacking/355382/whatsapps-flaw-shoulder-surfing
hacking

WhatsApp flaw leaves users open to 'shoulder surfing' attacks

21 Apr 2020
Visit/security/cyber-security/355368/microsoft-builds-ai-to-detect-security-flaws-with-99-accuracy
cyber security

Microsoft AI can detect security flaws with 99% accuracy

20 Apr 2020

Most Popular

Visit/operating-systems/microsoft-windows/355812/microsoft-warns-against-installing-windows-10-may-2020
Microsoft Windows

Microsoft warns users not to install Windows 10's May update

28 May 2020
Visit/security/data-breaches/355777/easyjet-faces-class-action-lawsuit-over-data-breach
data breaches

EasyJet faces class-action lawsuit over data breach

26 May 2020
Visit/security/cyber-security/355797/microsoft-bans-trend-micros-rootkit-buster-from-windows-10
cyber security

Microsoft bans Trend Micro driver from Windows 10 for "cheating" hardware tests

27 May 2020