540 million Facebook users' data exposed by third party developers

The Mexican media company Cultura Colectiva and an app called "At the Pool" used their access to their users Facebook data to make local copies of it, then left that data exposed, in the clear, without a password, on the public internet — 540 million records in all, stored in publicly accessible Amazon S3 buckets.

The leaks include "comments, likes, reactions, account names, FB IDs and more." The At the Pool leak also includes user passwords, presumably for the app (but many users recycle passwords); as well as 22,000 passwords for Facebook itself, stored without encryption.

At the Pool has been shuttered since 2014, implying that its data has been exposed for many years. After a formal notification email, someone took its user data offline.

Cultura Colectiva — which is still in business — has been repeatedly notified about its breach (both by the security researchers at Upguard, who discovered the breach, and by Amazon, after they were notified by Upguard) but has not replied nor did it take any steps to protect its user data until it was sent a query by Bloomberg news, months later.

These two situations speak to the inherent problem of mass information collection: the data doesn't naturally go away, and a derelict storage location may or may not be given the attention it requires.

For app developers on Facebook, part of the platform's appeal is access to some slice of the data generated by and about Facebook users. For Cultura Colectiva, data on responses to each post allows them to tune an algorithm for predicting which future content will generate the most traffic. The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook's control. In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.

Losing Face: Two More Cases of Third-Party Facebook App Data Exposure [Upguard]

(via Motherboard)