Millions of Facebook records exposed on public cloud servers

Hundreds of millions of Facebook records have been exposed on Amazon cloud servers in the latest example of Facebook letting third parties extract user data. More than 540m Facebook records were left exposed.

That database was closed on Wednesday (April 3rd.) after Bloomberg alerted Facebook to the problem and Facebook contacted Amazon. Researchers for the cybersecurity firm, UpGuard, also revealed that they had discovered two separate sets of Facebook user data on public Amazon cloud servers.

One dataset, linked to the Mexican media company Cultura Colectiva, contained more than 540m records, including comments, likes, reactions, account names, Facebook IDs and more. The other set, linked to a defunct Facebook app called At the Pool, was significantly smaller, but contained plaintext passwords for 22,000 users.

The large dataset was made secure on Wednesday with the smaller dataset being taken offline during UpGuard’s investigation.

This latest data exposure is not the result of any kind of malicious hack or system breach by an outside agent – it is simply Facebook allowing third parties to extract large amounts of user data without imposing controls on how that data is then used or secured (as per the Cambridge Analytica case).

UpGuard researchers revealed in their blogpost: “The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control.

“In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security.”

Cindy Provin, CEO of nCipher Security, said of the incident: “A leak of hundreds of millions of records from any site is massive. Not only were plain text Facebook passwords exposed online free, but the data sets were configured for easy public download – you just had to know where to look.

“This is like winning a lottery for cyber-criminals who can easily piece together the information and use it as bait for phishing attacks and identity theft to cash in on even more sensitive information.

“A leak of this magnitude certainly validates what we heard from consumers in a recent survey about cybersecurity: 68% of respondents fear identity theft – and for good reason. Organisations need to be vigilant in today’s cyber-economy and extend their encryption policies to cover all personally identifiable information, so that it becomes useless should it fall into the wrong hands.

“And a final word of caution: don’t reuse passwords across sites.”

CEO of web security company, High-Tech Bridge, Ilia Kolochenko, commented: “The reported leak is actually not that dramatic: the 540 million record database contains mostly publicly accessible data, while the second database with passwords in plaintext contains just 22,000 records – a drop in the ocean of leaked credentials in 2018.

“The real problem is that most of the data [reportedly shared by Facebook with its partners] still remains somewhere, with numerous uncontrolled backups and unauthorized copies, some of which are being sold on black market already. It is impossible to control this data, and users’ privacy is at huge risk. Even if they change their passwords, other data such as private messages, for example, or search history – will remain affixed somewhere and often in hands of unscrupulous third parties.

“Facebook may now face numerous multi-million civil lawsuits and class actions, let alone huge monetary fines and other sanctions by authorities.”