Over 540 million Facebook records were left exposed on the public internet via two third-party Facebook apps, reports cybersecurity firm UpGuard. The firm discovered two separate sets of Facebook user data on public Amazon cloud servers. One dataset linked to Mexico-based media company Cultura Colectiva contained over 540 million records including comments, likes, reactions, account names, Facebook IDs and more. Another linked to a defunct Facebook app called ‘At The Pool’, contained plaintext passwords for 22,000 users.

Both datasets contain data about Facebook users, describing their interests, relationships, and interactions. Although Facebook has made efforts to reduce its third-party access to data, especially after Cambridge Analytica, argues UpGuard, these exposures show that “the data genie cannot be put back in the bottle.” “The data exposed in each of these sets would not exist without Facebook,” explained UpGuard, “yet these data sets are no longer under Facebook’s control.”…”In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security.”

Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.

Breach notice: UpGuard first notified Cultura Colectiva – a platform for posts about celebs and culture – of the breach on January 10, and once again on January 14, but has not received a response until today. The firm then contacted Amazon Web Services on January 28, and once again on February 21. AWS stated that they were looking into it. The database was eventually secured only on April 3 when Facebook was contacted by Bloomberg for comment. As for At The Pool, its exposed dataset was taken offline during UpGuard’s investigation.

Facebook said it was investigating the incident and did not know the nature of the data, how it was collected or why it was stored on public servers. The company said it will inform users if they find evidence that the data was misused.

Cambridge Analytica was a watershed for Facebook and privacy around the world. A personality quiz app was used to mine information of 87 million people on Facebook, and used to target them with political ads as potential voters. The fallout of this was that Facebook last year began cracking down on third party apps. It suspended 400 apps in August last year due to concerns around the developers who built them or how the information people chose to share with the app may have been used. This incident also shows that data safety issues have another dimension; that is when companies have switched to to cloud-computing services from Amazon, Microsoft, Google, and others, instead of running operations on their own data centers.