Million Facebook Profiles Exposed by 2 Insecure Databases

Ann Santiago
April 5, 2019

"We are aware of the potential uses of data in current times, so we have reinforced our security measures to protect the data and privacy of our Facebook fanpages' users".

More than 540 million Facebook records - including users' comments, likes, account names and more - were left exposed by a third-party company on an Amazon cloud-computing server, researchers disclosed on Wednesday, marking the latest major privacy and security mishap to plague the social-networking giant. The Mark Zuckerberg-owned company has been found leaking data of millions of users to third-parties.

Responding to the discovery, a spokesperson said: "Facebook's policies prohibit storing Facebook information in a public database". "The passwords are presumably for the "At the Pool" app rather than for the user's Facebook account, but would put users at risk who have reused the same password across accounts", the firm said.

As the news popped up, Amazon and Facebook made sure the data stored on Amazon's cloud storage is secured. Meanwhile, the At the Pool database went offline while UpGuard was still investigating, possible because of a hosting lapse - the app shut down in 2014. "But as these exposures show, the data genie can not be put back in the bottle", UpGuard wrote in its blog post. "We use that information to improve the users' experience on the internet, and also to generate content that will appeal to, engage, and inspire our audiences", the statement adds. Moreover, UpGuard researchers claim that these are only two of the databases that they have reported about and the extent of data exposure could be far more extensive since about 100,000 databases are hosted by Amazon.

There are other similarities when taking into account the two Facebook user data sets leaked by misconfigured Amazon S3 buckets beside the number of users who got their sensitive personal info exposed, like the fact that they are both describing the users' "interests, relationships, and interactions, that were available to third-party developers".

Another day, another Facebook public-relations disaster.

Facebook used to allow developers access data about information of people using the app and their friends but they stopped this recently. Cultura's data trove wasn't taken down until April 3rd, when Bloomberg reached out to Facebook for a comment.

"The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook's control", the UpGuard researchers explain in their report.

Other reports by

Discuss This Article