Two caches of unprotected Facebook user data have been found on Amazon servers by independent researchers at UpGuard. The cybersecurity firm found “hundreds of millions of records about users, including their names, passwords, comments, interests, and likes.” However, the information was uploaded by two separate app developers, and not by Facebook itself.
Breaches like this, as well as last year’s Cambridge Analytica scandal, demonstrate just how little control Facebook has over data used by third parties. Where that data ends up, and the security with which it is stored, becomes the responsibility of the third party; for better or worse. After Cambridge Anaytica, in which the data of “tens of millions of Facebook users” was compromised by a “University of Cambridge academic”, Facebook promised the public that it would be auditing developers of applications “that [had] ever had access to mass quantities of data.” However, UpGuard’s discovery highlights just how little control Facebook has over the information that has already been released.
The larger of the two findings, 146 gigabytes worth of data and roughly 540 million different records, belonged to Cultura Colectiva—a digital media company based in Mexico. When UpGuard discovered the data in January it attempted to contact Cultura Colectiva “but received no response.” By the end of the month UpGuard contacted Amazon, which again alerted Cultura Colectiva. According to UpGuard the database was only secured when Bloomberg contacted Facebook about it recently, and was unsecure until as recently as Wednesday.
The smaller cache, only roughly 22,000 users, came from an app developer called At the Pool. While this data set also contained plain text passwords, it is believed that the passwords are for the At the Pool application and not necessarily for Facebook. However this would “put users at risk who have reused the same password across accounts,” according to UpGuard. It is unclear how long this data was unsecured after the At the Pool application shut down in 2014.
In a statement a spokesperson for Facebook said that “Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
The spokesperson also said that the company is still assessing what information was available and how people are affected by this breach. However, this promise echoes the statement Facebook made after the Cambridge Analytica story broke. Hundreds of apps have been suspended from the platform based on “how the information people chose to share with the app may have been used.” These new findings call into question if Facebook is adequately looking into how information is stored by third party vendors. Whether information is stored inadvertently by an app developer, or intentionally sold like in the case of Cambridge Analytica, it violates the terms of the data agreement with Facebook and puts user data at risk.
CEO of Facebook Mark Zuckerberg has started promoting a “new type of privacy-focused social network” that he hopes will guide the future of Facebook. In the mean time, it’s a security best practice to ensure that your data is protected. Having adequate, encrypted backups, and auditing user permissions can ensure that your businesses’ data is protected. While you may not have 540 million user profiles on hand, we’re sure your customers or clients would much rather have their information secured.
Information for this story was originally found on Wired.com