As the researchers from the cybersecurity firm UpGuard have said, Mexico-based digital media company Cultura Colectiva and California-based app maker At The Pool, two third-party Facebook app developers, had stored the data on Amazon’s public servers and it was accessible and could be downloaded by the public.
One company has stored over 540 million individual records of personal data. A 146GB data set with information about Facebook users’ activity, account names and IDs was found. Another app has stored unprotected Facebook passwords for 22,000 users.
The UpGuard researchers wrote:
“Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”
Security researcher Chris Vickery who discovered that the millions of records from Facebook users were exposed to the public, said that the data is not particularly sensitive, however, it is important from a marketing standpoint, as it would allow publishers and marketers to see which stories and videos were generating the most traffic and comments.
Further, Vickery said that his finding ‘highlights a problem that is intrinsic with mass data collection.’ He added:
“The public doesn’t realize yet that these high-level systems administrators and developers, the people that are custodians of this data, they are being either risky or lazy or cutting corners. Not enough care is being put into the security side of big data.”
It’s not clear how long the data was publicly available and who may have obtained it from the servers. After Facebook was contacted, the data was taken down.
Facebook’s representative commented:
“Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
As Vickery stated, the data may have been gathered through Facebook integration. They are currently looking into the situation and trying to figure out what can be done.
Facebook Does Not Bother About Security?
Cyber experts believe that when it comes to privacy and security, Facebook does not have strict guidelines.
Renaud Deraison, co-founder and CTO of Tenable, said:
“Seems like every other week a security issue is discovered in the Facebook ecosystem. Facebook is giving third-party app developers access to user data. That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world.”
“App developers are focused mainly on bringing new offerings to market quickly – it’s what consumers have come to expect. It looks like Facebook doesn’t have enforced guidelines when it comes to how its partners handle cybersecurity.”
The situation puts Facebook in a particularly bad position, as it is not the first time when the company makes a serious blunder because of its casual attitude to protecting users’ data.
Just recently, Facebook acknowledged a bug in its password management systems that caused hundreds of millions of user passwords for Facebook, Facebook Lite, and Instagram to be stored as plaintext in an internal platform. Facebook left the passwords of some 600 million Facebook users vulnerable, and as a result, thousands of Facebook employees could have searched for and found them.
Just for a reminder, we reported that Facebook is going to make an enormous revenue of $10 billion each year by 2021 due to the launch of the Instagram Checkout feature. However, after the breaking news about the lack of security and vulnerability of users’ data, some are quite skeptic about the giant’s plans.