There are two new cases of data sets exposing tons of information belonging to Facebook users. More specifically, half a billion records of millions of users of Facebook were openly available to the public internet. The records were found on unprotected Amazon cloud servers. According to UpGuard Cyber Risk researchers, two third-party developed Facebook app datasets were exposing users’ details to the public internet.
Cultura Colectiva, At the Pool Third Party Apps Exposed Facebook Users’ Data
One of these apps belongs to Mexico-based media company Cultura Colectiva, and it exposed 156 gigabytes of information, containing more than 540 million records of comments, likes, reactions, account names, Facebook IDs, among others.
The other app is called At the Pool, and it also exposed sensitive details to the internet via an Amazon S3 bucket. The database backup contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more. The passwords most likely belong to the At the Pool app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts, the researchers warned.
It should be noted that the At the Pool discovery is not as large as the Cultura Colectiva dataset, but it still contains plaintext passwords for 22,000 users, an amount that should not be underestimated. In addition, At the Pool doesn’t operate any longer as it ended in 2014, with the parent company’s website currently returning a 404 error notice. This fact is a bit of a relief to the app’s end users whose names, passwords, email addresses, Facebook IDs, and other details were openly exposed for an unknown period of time.
“The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each”, the report said. What all data sets have in common is that they all originate from Facebook users and present sensitive information in detail, such as interests, relationships, and interactions. These details were available to third-party app developers.
Data about Facebook users has been spreading uncontrollably, and Facebook is incapable of putting things in order. This fact combined with the abundance of personal data with storage technologies that are often misconfigured for public access, and you have tons of data about Facebook users that continues to leak.
What Did UpGuard Researchers Do?
With regard to the Cultura Colectiva data, the researchers’ first notification email was sent on January 10th, 2019. The team send a second email on January 14th. To this day there has been no response to any of the emails.
Due to the data being stored in Amazon’s S3 cloud storage, the researchers also notified Amazon Web Services on January 28th. AWS sent a response on February 1st saying that “that the bucket’s owner was made aware of the exposure”.
When February 21st rolled around and the data was still not secured, we again sent an email to Amazon Web Services. AWS again responded on that same day stating they would look into further potential ways to handle the situation. It was not until the morning of April 3rd, 2019, after Facebook was contacted by Bloomberg for comment, that the database backup, inside an AWS S3 storage bucket titled “cc-datalake,” was finally secured.
As for the data stemming from At the Pool app, it had been taken offline during the time the researchers were investigating the data origin. This happened prior to a formal notification email was being sent. It is unclear whether this is a coincidence, if there was a hosting period lapse, or if a responsible party became aware of the exposure at that time, and took actions quickly. Nonetheless, the application is no longer active and all signs point to its parent company having shut down, the researchers concluded.
Another recent example revealed that a third-party Android app with Facebook API access was copying user data into storage outside of Facebook. Moreover, the data was stored insecurely in two locations.The issue was reported to Facebook through their Data Abuse Bounty program, and the storage locations were secured in November last year. As the app itself, it was removed from Facebook but the Android version is still available in Google Play. The worst part is that the number of users affected by this breach is unknown.