540 million Facebook records left exposed due to sloppy third-party developer security

Data was accessible on Amazon cloud servers, with no password protection.

540 million Facebook records left exposed due to sloppy third-party developer security

What’s going on?
Bloomberg is reporting that security researchers have discovered a huge amount of data containing information about tens of thousands of Facebook users (likes, comments, Facebook IDs, account names, and so forth…), left available for anyone to access – no password required.

So it’s another Facebook screw-up?
Well, it’s not quite as simple as that. You see the data – which ended up on unsecured Amazon S3 buckets – was put there by third-parties, whose apps integrated with Facebook. In short, Facebook allowed them to have access to the data, but then the third-parties were careless with it.

What third-party companies are these?
According to UpGuard, who first discovered the exposed datasets, 540 million of the records come from a Mexican media company called Cultura Colectiva. In addition, a much smaller collection of data originated from a now defunct company who built a Facebook-integrated app called “At the Pool.”

Sign up to our free newsletter.
Security news, advice, and tips.

What data was left on the unsecured Amazon S3 servers?
The massive Cultura Colectiva batch of records contained Facebook users’ names, comments, likes, relationships, and interactions.

In the case of “At the Pool,” the exposed information included details scraped from Facebook accounts including names, email addresses, Facebook IDs, photos, check-ins, friend lists, interests, and other details.

540 million. That sounds like an awful lot of Facebook records to scrape.
Yes, it is. And don’t forget it’s just a year since Facebook admitted that as many as 87 million people had had their details improperly shared with Cambridge Analytica.

So, what you’re saying is that the risk is not just sharing data with Facebook, but not having control over what happens to data once you’ve shared it with Facebook?
Exactly.

There are a myriad of third-parties out there grabbing information via Facebook-integrated apps, and you have no way of knowing how well they are securing your data or – in many cases – what they might have taken at all.

Presumably this exposed data has been taken offline now, though?
The smaller “At the Pool” data was actually taken offline before the researchers informed them of the problem.

But the story isn’t so good when it comes to the much much larger Cultura Colectiva treasure trove of data. UpGuard first informed Cultura Colectiva on January 10 2019 about the problem, but heard nothing back. It also heard nothing back when it contacted the organisation again four days later.

Frustrated by the lack of response, the researchers then approached Amazon, who said they would tell the owner of the S3 bucket about the problem. Three weeks later, the data was still exposed.

Eventually it took until today, after Bloomberg contacted Facebook for comment, for the database to be properly secured.

I’m beginning to think using Facebook may not be such a great idea.
Don’t be silly. It’s great.

Seriously?
Okay, you rumbled me. Yes, of course it’s terrible. If you value your privacy, the only sensible step is to quit Facebook before worse things happen. But it’s hard for many people to quit.

We put together a “Smashing Security” podcast where we describe how to quit Facebook and offer some techniques for people who are fearful of going cold turkey.

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.