Over 500 million Facebook user records discovered on public Amazon servers


TechSpot Editor
Staff member

Researchers at security firm UpGuard discovered the two sets of data on Amazon’s S3 storage servers without passwords, meaning anyone could access the files.

The largest of the two datasets came from Mexican media company Cultura Colectiva. 146GB in size, its 540 million records included details of users’ Facebook comments, likes, reactions, account names, IDs and more.

A separate database for a defunct Facebook-integrated app called “At the pool” was also found. While this was much smaller, containing information on 22,000 users, it contained more sensitive information, including friends lists, interests, photos, group memberships and check-ins. There were also passwords stored in plaintext, though these were for the app itself, rather than Facebook.

There’s no indication of how long the data was exposed, or if anyone downloaded it. UpGuard notified Cultura Colectiva twice about the exposed database in January, but the company never responded. It was only removed after Bloomberg, which first reported the story, contacted Facebook. At the Pool’s data was taken offline during the investigation.

While the datasets came from third parties, the discovery will still shine a light on how Facebook allows these firms to access user data and the way it is stored. The incident has brought back memories of the Cambridge Analytica scandal, in which 87 million Facebook users' records were extracted without their consent.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the UpGuard researchers wrote. “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security.”

Responding to the discovery, a spokesperson said: “Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

Permalink to story.

Last edited by a moderator:


TS Evangelist
Thankfully I deleted my Facebook account a while ago, so I can at least sue Facebook if my data leaks afterwards. (as they are supposed to dispose my data after I remove my account).

Uncle Al

TS Evangelist
You know, I'd like the see the most private and personal information of every member of Congress, The Executive Branch, The Joint Chiefs, and the Supreme Court members leaked in a large open public forum ..... they let's see how quickly they close down a few of these overblown, irresponsible companies ....... assuming of course that the Joint Chiefs doesn't nuke 'em first ..... LOL
  • Like
Reactions: ghostf1re


TS Addict
"We are committed to working with the developers on our platform to protect people’s data.” Then they'll just to sell it to just about anyone if they "promise" to keep it safe.