UPDATE [1:41 PM IST, April 4th, 2019]
Facebook has announced that it has removed all of the data that was lying exposed on Amazon servers.
Cultura Colectiva, the Mexican firm responsible for this breach have also come up with a statement. The firm said, “Neither sensitive nor private data, like emails or passwords, were amongst those because we do not have access to that kind of data, so we did not put our users’ privacy and security at risk”. The firm further added, “We are aware of the potential uses of data in current times, so we have reinforced our security measures to protect the data and privacy of our Facebook fanpages’ users”.
In what will add on to the string of data exposures that have come in for Facebook, cyber security firm UpGuard has now reported two more third-party apps that have left Facebook user data exposed on Amazon cloud servers. According to the information published by the firm, the exposed data is 146 GB in size and has over 540 Million records, including comments, likes, FB IDs among others.
There are two sets of concentrated data-sets found lying exposed. The one mentioned above is from a Mexico-based digital media firm Cultura Colectiva. The second data set is a backup from a Facebook-integrated app titled “At the Pool”. This was found exposed to the public internet via an Amazon S3 bucket. This database backup contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more. According to UpGuard, the passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts.
The bigger concern of the two data sets found is that of Cultura Colectiva. The sheer size of data set exposed could leave millions of users and information about them, exposed. The “At The Pool” data set is alarming because passwords over 22,000 users have been found lying in plaintext format, readable and downloadable by general public. Both the data sets are present in their own separate buckets and have been configured to be publicly downloadable.
When reached out by media, Facebook responded by saying, “Facebook’s policies prohibit storing Facebook information in a public database”. The company additionally said that there has been no evidence of misuse of this data yet and they are investigating.
This however, is a standard Facebook response to most such breaches. While Facebook mentions about the lack of evidence of data misuse, it is difficult to be convinced about that, considering the leak has just been highlighted. What is also alarming is how easily user data is now lying publicly exposed over the interwebs as Facebook continues to allow third-party apps to store data in an unsecured manner.