The personal data of millions of Facebook users was left exposed on Amazon Web Services servers, harvested by third party companies that left the data unprotected.
Cyber security firm UpGuard discovered different sets of data from two companies, with the largest containing more than 540m records, "detailing comments, likes, reactions, account names, FB IDs and more." The other consisted of plaintext passwords for 22,000 users of a Facebook app.
Out in the wild
In a blog post, the UpGuard Cyber Risk team explained that "each of the data sets was stored in its own Amazon S3 bucket configured to allow public download of files."
The company discovered the 540m records on an S3 bucket owned by Mexico-based media company Cultura Colectiva. "Our first notification email went out to Cultura Colectiva on January 10th, 2019. The second email to them went out on January 14th. To this day there has been no response."
UpGuard then contacted AWS, which said they had let Cultura Colectiva known about the exposure, but did not act upon it themselves. "It was not until the morning of April 3rd, 2019, after Facebook was contacted by Bloomberg for comment, that the database backup, inside an AWS S3 storage bucket titled cc-datalake, was finally secured." This came after Facebook requested that AWS secure the content.
AWS said in a statement: “AWS customers own and fully control their data. When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here.”
The other database came from a Facebook-integrated app titled 'At the Pool.' It is thought that the passwords were for the app itself, but it is likely many users stuck to the same password as on Facebook. It also included information on friends, likes, photos and more.
This time, however, the data was removed rapidly - taken offline during UpGuard's investigation, prior to notification. This may have been because the exposure was noticed, or because it appears that the parent company has shut down.
What is important to note with these two breaches, is that in both cases the companies acquired the data from Facebook in a perfectly legal manner. The information they had, which is reminiscent of the Cambridge Analytica scandal, was provided willingly by the social network, which asks developers to safeguard and not abuse its data, but has no control of it once it leaves the company's own server.
"In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security," UpGuard note.
"The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform."