Third-party Facebook app leaked 540m user records on AWS server

Data trove thought to have been shared prior to Facebook's policy reforms

Facebook's heavily criticised app integration system has led to more than 146GB worth of data being left publicly exposed on AWS servers owned and operated by third-party companies.

It's believed 540 million records relating to Facebook accounts were stored on the servers, including comments, likes, reactions, names and user IDs, obtained when users engaged with applications on the platform - the same methods unearthed during the investigation into Cambridge Analytica.

Advertisement - Article continues below

Two apps have been associated with the data hoard so far: Cultura Colectiva, a Mexico-based media company that promotes content to users in Latin America, and At the Pool', a service that matched users with other content, which has been out of operation since 2016.

At the Pool is said to have held 22,000 passwords for its service in plaintext alongside columns relating to Facebook user IDs - the fear being that many users may have been using the same password for their Facebook accounts.

Both of the app's datasets were stored in Amazon S3 buckets which were found to be misconfigured to allow public download of the files. Despite being commonly used among businesses, as they allow data to be distributed across servers in a wide geographical area, there have been multiple incidents involving companies failing to adequately safeguard their data.

Advertisement
Advertisement - Article continues below

Facebooked condemned the practices of both the apps. "Facebook's policies prohibit storing Facebook information in a public database," said a Facebook spokesperson. "Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data."

Advertisement - Article continues below

AWS was made aware of the exposed data on 28 January 2019, following an alert issued by security research firm UpGuard. AWS confirmed it had received the report and was investigating it, but the data was only secured on Wednesday this week.

"AWS customers own and fully control their data," an AWS spokesperson told IT Pro. "When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here."

This statement aligns with UpGuard's in that the researchers alerted Cultura Colectiva before AWS on 10 January 2019 but have still yet to receive a response from the company.

Accenture, Experian, WWE, and the NSA have all been found to have stored data on unsecured AWS servers in recent years, with the problem becoming so prevalent that hackers have started creating tools specifically designed to target these buckets.

Advertisement - Article continues below

"While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content," said AWS. "As is the case on-premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended."

The news coincides with an article published in The Washington Post in which Facebook's Mark Zuckerberg called for a worldwide GDPR' and greater regulation on the data protection principles of big tech outside the EU, despite the company itself facing 10 major GDPR investigations.

The discovery of the data has once again raised the issue of Facebook's data sharing policies, something that facilitated the improper sharing of user data for political purposes by Cambridge Analytica. This prompted Facebook to change its sharing policies to restrict access by third-parties, although the fear is that data troves such as this have already been widely shared.

Advertisement - Article continues below

"Cambridge Analytica was the most high profile case that led to some significant changes in how Facebook interacts with third-party developers, but I suspect there are many troves of Facebook data sitting around where they shouldn't be, including this one," said privacy advocate Paul Bischoff of Comparitech.com.

"Even though Facebook has limited what information third-party developers can access, there's still nothing Facebook can do about abuse or mishandling until after the fact," he said.

Featured Resources

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Remote working 2020: Advantages and challenges

Discover how to overcome remote working challenges

Download now

Keep your data available with snapshot technology

Synology’s solution to your data protection problem

Download now

After the lockdown - reinventing the way your business works

Your guide to ensuring business continuity, no matter the crisis

Download now
Advertisement
Advertisement

Recommended

Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Australia announces $1.35 billion investment in cyber security
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
CSA and ISSA form cyber security partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

3 Aug 2020
How to use Chromecast without Wi-Fi
Mobile

How to use Chromecast without Wi-Fi

4 Aug 2020
How do you build a great customer experience?
Sponsored

How do you build a great customer experience?

20 Jul 2020