Facebook Devs Expose 540M User Records

Facebook

Hundreds of millions of Facebook user records were exposed on cloud servers and publicly visible, according to reports.

Security firm UpGuard posted about the news on Wednesday (April 3).

“The UpGuard Cyber Risk team can now report that two more third-party developed Facebook app datasets have been found exposed to the public internet,” the post said.

“One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more. This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data.”

It’s not known how long the exposed data was available or visible, or who may have gotten to it, if anyone did at all. The data sets were both discovered on Amazon cloud servers, and all of the data was removed by Facebook after the company was notified about the problem.

“Facebook’s policies prohibit storing Facebook information in a public database,” a spokesperson for the company said. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

The data being available doesn’t appear to be intentional, but it does highlight the amount of data collected by Facebook third-party apps, and what it’s used for.

“Data about Facebook users has been spread far beyond the bounds of what Facebook can control today,” UpGuard researchers said. “Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

Facebook had a similar issue when the political data firm Cambridge Analytica got millions of users information through a seemingly harmless quiz. Since that scandal, the social media giant has reduced the number of apps that have access to user data.