In brief: Another privacy-related Facebook scandal has been uncovered. This time, two third-party app development companies left more than 540 million records exposed on a public storage server.
Researchers at security firm UpGuard discovered the two sets of data on Amazon’s S3 storage servers without passwords, meaning anyone could access the files.
The largest of the two datasets came from Mexican media company Cultura Colectiva. 146GB in size, its 540 million records included details of users’ Facebook comments, likes, reactions, account names, IDs and more.
A separate database for a defunct Facebook-integrated app called “At the pool” was also found. While this was much smaller, containing information on 22,000 users, it contained more sensitive information, including friends lists, interests, photos, group memberships and check-ins. There were also passwords stored in plaintext, though these were for the app itself, rather than Facebook.
There’s no indication of how long the data was exposed, or if anyone downloaded it. UpGuard notified Cultura Colectiva twice about the exposed database in January, but the company never responded. It was only removed after Bloomberg, which first reported the story, contacted Facebook. At the Pool’s data was taken offline during the investigation.
While the datasets came from third parties, the discovery will still shine a light on how Facebook allows these firms to access user data and the way it is stored. The incident has brought back memories of the Cambridge Analytica scandal, in which 87 million Facebook users' records were extracted without their consent.
“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the UpGuard researchers wrote. “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security.”
Responding to the discovery, a spokesperson said: “Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”