540 million Facebook records left exposed due to sloppy third-party developer security

Graham Cluley

540 million Facebook users left exposed due to sloppy third-party developer security

540 million Facebook records left exposed due to sloppy third-party developer security

What’s going on?
Bloomberg is reporting that security researchers have discovered a huge amount of data containing information about tens of thousands of Facebook users (likes, comments, Facebook IDs, account names, and so forth…), left available for anyone to access – no password required.

So it’s another Facebook screw-up?
Well, it’s not quite as simple as that. You see the data – which ended up on unsecured Amazon S3 buckets – was put there by third-parties, whose apps integrated with Facebook. In short, Facebook allowed them to have access to the data, but then the third-parties were careless with it.

What third-party companies are these?
According to UpGuard, who first discovered the exposed datasets, 540 million of the records come from a Mexican media company called Cultura Colectiva. In addition, a much smaller collection of data originated from a now defunct company who built a Facebook-integrated app called “At the Pool.”

What data was left on the unsecured Amazon S3 servers?
The massive Cultura Colectiva batch of records contained Facebook users’ names, comments, likes, relationships, and interactions.

In the case of “At the Pool,” the exposed information included details scraped from Facebook accounts including names, email addresses, Facebook IDs, photos, check-ins, friend lists, interests, and other details.

540 million. That sounds like an awful lot of Facebook records to scrape.
Yes, it is. And don’t forget it’s just a year since Facebook admitted that as many as 87 million people had had their details improperly shared with Cambridge Analytica.

So, what you’re saying is that the risk is not just sharing data with Facebook, but not having control over what happens to data once you’ve shared it with Facebook?
Exactly.

There are a myriad of third-parties out there grabbing information via Facebook-integrated apps, and you have no way of knowing how well they are securing your data or – in many cases – what they might have taken at all.

Presumably this exposed data has been taken offline now, though?
The smaller “At the Pool” data was actually taken offline before the researchers informed them of the problem.

But the story isn’t so good when it comes to the much much larger Cultura Colectiva treasure trove of data. UpGuard first informed Cultura Colectiva on January 10 2019 about the problem, but heard nothing back. It also heard nothing back when it contacted the organisation again four days later.

Frustrated by the lack of response, the researchers then approached Amazon, who said they would tell the owner of the S3 bucket about the problem. Three weeks later, the data was still exposed.

Eventually it took until today, after Bloomberg contacted Facebook for comment, for the database to be properly secured.

I’m beginning to think using Facebook may not be such a great idea.
Don’t be silly. It’s great.

Seriously?
Okay, you rumbled me. Yes, of course it’s terrible. If you value your privacy, the only sensible step is to quit Facebook before worse things happen. But it’s hard for many people to quit.

We put together a “Smashing Security” podcast where we describe how to quit Facebook and offer some techniques for people who are fearful of going cold turkey.

Smashing Security #75: 'Quitting Facebook'

Listen on Apple Podcasts | Google Podcasts | Other... | RSS
More episodes...

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Never miss a thing. Sign up for the free GCHQ newsletter from Graham Cluley.
GET EMAIL UPDATES