540 million Facebook records left exposed due to sloppy third-party developer security

Data was accessible on Amazon cloud servers, with no password protection.

540 million Facebook records left exposed due to sloppy third-party developer security

What’s going on?
Bloomberg is reporting that security researchers have discovered a huge amount of data containing information about tens of thousands of Facebook users (likes, comments, Facebook IDs, account names, and so forth…), left available for anyone to access - no password required.

So it’s another Facebook screw-up?
Well, it’s not quite as simple as that. You see the data - which ended up on unsecured Amazon S3 buckets - was put there by third-parties, whose apps integrated with Facebook. In short, Facebook allowed them to have access to the data, but then the third-parties were careless with it.

What third-party companies are these?
According to UpGuard, who first discovered the exposed datasets, 540 million of the records come from a Mexican media company called Cultura Colectiva. In addition, a much smaller collection of data originated from a now defunct company who built a Facebook-integrated app called “At the Pool.”

What data was left on the unsecured Amazon S3 servers?
The massive Cultura Colectiva batch of records contained Facebook users’ names, comments, likes, relationships, and interactions.

In the case of “At the Pool,” the exposed information included details scraped from Facebook accounts including names, email addresses, Facebook IDs, photos, check-ins, friend lists, interests, and other details.

540 million. That sounds like an awful lot of Facebook records to scrape.
Yes, it is. And don’t forget it’s just a year since Facebook admitted that as many as 87 million people had had their details improperly shared with Cambridge Analytica.

So, what you’re saying is that the risk is not just sharing data with Facebook, but not having control over what happens to data once you’ve shared it with Facebook?

There are a myriad of third-parties out there grabbing information via Facebook-integrated apps, and you have no way of knowing how well they are securing your data or - in many cases - what they might have taken at all.

Presumably this exposed data has been taken offline now, though?
The smaller “At the Pool” data was actually taken offline before the researchers informed them of the problem.

But the story isn’t so good when it comes to the much much larger Cultura Colectiva treasure trove of data. UpGuard first informed Cultura Colectiva on January 10 2019 about the problem, but heard nothing back. It also heard nothing back when it contacted the organisation again four days later.

Frustrated by the lack of response, the researchers then approached Amazon, who said they would tell the owner of the S3 bucket about the problem. Three weeks later, the data was still exposed.

Eventually it took until today, after Bloomberg contacted Facebook for comment, for the database to be properly secured.

I’m beginning to think using Facebook may not be such a great idea.
Don’t be silly. It’s great.

Okay, you rumbled me. Yes, of course it’s terrible. If you value your privacy, the only sensible step is to quit Facebook before worse things happen. But it’s hard for many people to quit.

We put together a “Smashing Security” podcast where we describe how to quit Facebook and offer some techniques for people who are fearful of going cold turkey.

Smashing Security #75: ‘Quitting Facebook’

Listen on Apple Podcasts | Google Podcasts | Other… | RSS

Tags: , ,

Share this article:

   Join thousands of others and sign up to our free "GCHQ" newsletter.

Smashing Security podcast
Check out "Smashing Security", the award-winning weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"It's brilliant!" • "Three people having fun in an industry often focused on bad news" • Winner of the Best Security Podcast 2018

Latest episodes:
Listen on Apple Podcasts Listen on Google Podcasts

, ,

No comments yet.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.