Experts found 540 Million Facebook user records on unprotected Amazon S3 buckets

The huge trove of Facebook user data was amassed and stored online on unprotected cloud servers by third-party Facebook app developers.

Definitively I can tell you that this is an awful period for Facebook and its users.

We first read about an embarrassing incident involving the social network giant that asked some newly-registered users to provide the passwords to their email accounts to confirm their identity … this is absurd.

News of the day is related to a data leak suffered by the company. Experts at security firm UpGuard discovered 540 million Facebook user records on unprotected Amazon cloud servers.

The huge trove of data was amassed and stored online on unprotected cloud servers by third-party Facebook app developers.

UpGuard experts discovered two datasets exposed online, one belonging to a Mexican media company called Cultura Colectiva and another from a Facebook-integrated app called “At the pool.”

“The UpGuard Cyber Risk team can now report that two more third-party developed Facebook app datasets have been found exposed to the public internet. One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more. This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data.” reads the post published by UpGuard.

“A separate backup from a Facebook-integrated app titled “At the Pool” was also found exposed to the public internet via an Amazon S3 bucket.”

The archive managed by Cultura Colectiva contains more than 146 GB of data related to over 540 million Facebook user records, it included comments, likes, reactions, account names, Facebook user IDs, and more.

The second archive managed by “At the Pool” app contains information about users’ friends, likes, groups, and checked-in locations, as well as names, plaintext passwords for “At the Pool” accounts, and email addresses for 22,000 people.

Both datasets were stored in unsecured Amazon S3 buckets, fortunately they both have now been secured after Upguard and Facebook contacted Amazon.

Facebook faced several times severe scrutiny for its practice of sharing its users’ data with third-party companies.

These two datasets demonstrate that even if the company is spending an important effort to reduce third-party access, some data are difficult to track and to control.

“But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.” continues the post.

“Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

The availability of this data online poses serious risks to impacted users, threat actors that that eventually had accessed them, could use the information to carry out several malicious activities.

“These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires.” concludes the company.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Facebook, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]