Facebook user data has been exposed online once again, this time via public facing Amazon S3 buckets used by two third-party application developers. One dataset contained 540 million data points with a storage value of 146 gigabytes.
The breach was discovered by Australian-based cybersecurity researchers UpGuard who found two application developers Cultura Colectiva and At the Pool had both separately used AWS S3 Buckets to store Facebook data, but had configured the Buckets so it they were publicly downloadable.
The Cultura Colectiva dataset contained over 540 million data records. This data held the names and records of Facebook users including their IDs, comments and reactions.
The ‘At the Pool’ dataset encompassed backup information from their Facebook-integrated application. UPGuard notes that: “This database backup contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more.”
The only link between the two datasets left exposed online is that they both contain Facebook user data that had been copied from the platform through third-party applications.
UpGuard states that this is an indication that Facebook user data has: “Spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”
Woes Upon Woes
Last month Facebook was found to be storing up to 600 million users’ passwords in plain text on internal company servers.
This data may have been accessed by up to 2,000 engineers or developers who made approximately nine million internal queries for data elements that contained plain text user passwords, an internal source told investigative reporter Brian Krebs, who broke that story.
With regards to the latest data breach, Ilia Kolochenko CEO of High-Tech Bridge told Computer Business Review in an emailed statement that in terms of size: “The reported leak is actually not that dramatic”
“The real problem is that most of the data [reportedly shared by Facebook with its partners] still remains somewhere, with numerous uncontrolled backups and unauthorized copies, some of which are being sold on black market already. It is impossible to control this data, and users’ privacy is at huge risk.”
“Even if they change their passwords, other data such as private messages, for example, or search history – will remain affixed somewhere and often in hands of unscrupulous third parties. Facebook may now face numerous multi-million civil lawsuits and class actions, let alone huge monetary fines and other sanctions by authorities.”