View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Misconfigured Storage Tech Strikes Again, Facebook User Data Exposed

“The real problem is that most of the data [reportedly shared by Facebook with its partners] still remains somewhere..."

By CBR Staff Writer

Facebook user data has been exposed online once again, this time via public facing Amazon S3 buckets used by two third-party application developers. One dataset contained 540 million data points with a storage value of 146 gigabytes.

The breach was discovered by Australian-based cybersecurity researchers UpGuard who found two application developers Cultura Colectiva and At the Pool had both separately used AWS S3 Buckets to store Facebook data, but had configured the Buckets so it they were publicly downloadable.

The Cultura Colectiva dataset contained over 540 million data records. This data held the names and records of Facebook users including their IDs, comments and reactions.

The ‘At the Pool’ dataset encompassed backup information from their Facebook-integrated application. UPGuard notes that: “This database backup contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more.”

The only link between the two datasets left exposed online is that they both contain Facebook user data that had been copied from the platform through third-party applications.

UpGuard states that this is an indication that Facebook user data has: “Spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

Facebook User Data Exposed

Image Source: UpGuard

Woes Upon Woes

Last month Facebook was found to be storing up to 600 million users’ passwords in plain text on internal company servers.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

This data may have been accessed by up to 2,000 engineers or developers who made approximately nine million internal queries for data elements that contained plain text user passwords, an internal source told investigative reporter Brian Krebs, who broke that story.

With regards to the latest data breach, Ilia Kolochenko CEO of High-Tech Bridge told Computer Business Review in an emailed statement that in terms of size: “The reported leak is actually not that dramatic”

“The real problem is that most of the data [reportedly shared by Facebook with its partners] still remains somewhere, with numerous uncontrolled backups and unauthorized copies, some of which are being sold on black market already. It is impossible to control this data, and users’ privacy is at huge risk.”

“Even if they change their passwords, other data such as private messages, for example, or search history – will remain affixed somewhere and often in hands of unscrupulous third parties. Facebook may now face numerous multi-million civil lawsuits and class actions, let alone huge monetary fines and other sanctions by authorities.”

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU