Over 540 million Facebook records were left exposed on the public internet via two third-party Facebook apps, reports cybersecurity firm UpGuard. The firm discovered two separate sets of Facebook user data on public Amazon cloud servers. One dataset linked to Mexico-based media company Cultura Colectiva contained over 540 million records including comments, likes, reactions, account names, Facebook IDs and more. Another linked to a defunct Facebook app called ‘At The Pool’, contained plaintext passwords for 22,000 users.
Breach notice: UpGuard first notified Cultura Colectiva – a platform for posts about celebs and culture – of the breach on January 10, and once again on January 14, but has not received a response until today. The firm then contacted Amazon Web Services on January 28, and once again on February 21. AWS stated that they were looking into it. The database was eventually secured only on April 3 when Facebook was contacted by Bloomberg for comment. As for At The Pool, its exposed dataset was taken offline during UpGuard’s investigation.
Facebook said it was investigating the incident and did not know the nature of the data, how it was collected or why it was stored on public servers. The company said it will inform users if they find evidence that the data was misused.
Cambridge Analytica was a watershed for Facebook and privacy around the world. A personality quiz app was used to mine information of 87 million people on Facebook, and used to target them with political ads as potential voters. The fallout of this was that Facebook last year began cracking down on third party apps. It suspended 400 apps in August last year due to concerns around the developers who built them or how the information people chose to share with the app may have been used. This incident also shows that data safety issues have another dimension; that is when companies have switched to to cloud-computing services from Amazon, Microsoft, Google, and others, instead of running operations on their own data centers.