Private data of 540 million Facebook users exposed in plain text

Private data of millions of Facebook users exposed in plain text

Unprotected Amazon Web Services has a new victim and it’s Facebook users.

It’s just been a year since the Cambridge Analytics scandal made headlines the world in which Facebook failed to secure its users’ information. Now the cybersecurity firm UpGuard’s researchers have identified the presence of another unsecure Facebook database that has been publicly posted on the cloud servers powered by Amazon Web Services. This shows that there have been little efforts from Facebook in ensuring foolproof security of the data that it extracts from its users.

According to the analysis of UpGuard researchers, the database is a treasure trove of exclusive user information all stored in plain sight without having password protection. Reportedly, part of the exposed database is a dataset that belongs to Cultura Colectiva, a Mexican digital media firm, which openly stored roughly 540 million Facebook user records totaling around 146 gigabytes of confidential data.

See: Hackers selling private messages of 81,000 hacked Facebook accounts

Since it is publicly available, anyone can check it out and download data that includes email IDs, login credentials including passwords, account IDs, identification numbers and even comments and reactions.

Bloomberg notified Facebook about the presence of this dataset and the company immediately removed it from Amazon’s servers. There is another database that belongs to At the Pool app, which isn’t active anymore. In this dataset, there are email IDs and passwords of nearly 22,000 Facebook users stored.

Private data of millions of Facebook users exposed in plain text
Screenshot of the leaked database (UpGuard)

Researchers aren’t sure the duration for which these databases remained exposed to public view as these became inaccessible during their investigations. Facebook’s representative claims that they have taken the databases offline after being notified and currently they are investigating the incident to identify how and for what duration the data was available on Amazon’s servers.

See: Amazon S3 Buckets Exposed US Military’s Social Media Spying Campaign

The representative further affirmed that Facebook doesn’t allow its user data to be stored on a public database, so this is a clear violation of its policies. It is, however, worth mentioning that just last week it was revealed that Facebook not only stored 600 million users’ passwords in plain text on its servers but also exposed it to over 20,000 employees.

“We are committed to working with the developers on our platform to protect people’s data,” Facebook’s representative further added.

However, it is worth noting that Facebook has a history of sharing user data with third-party developers and only recently has this practice been come to light and prohibited. Moreover, UpGuard researchers claim that these are only two of the databases that they have reported about and the extent of data exposure could be far more extensive since about 100,000 databases are hosted by Amazon. UpGuard’s cyber risk research director Chris Vickery noted that it is high time user data is given its due respect and protection.

“The public doesn’t realize yet that these high-level systems administrators and developers, the people that are custodians of this data, they are being either risky or lazy or cutting corners. Not enough care is being put into the security side of big data,” Vickery stated.

Naaman Hart, Cloud Services Security Architect at Digital Guardian also comment on the breach and warned users that there is no such thing as free lunch referring to the free use of social media sites especially Facebook. The price according to Hart is user data.

“This is the price paid for access to a free service but you should acknowledge that this is indeed the price you pay. While Facebook themselves have not compromised this data, they have allowed it to be freely obtained by companies with lax security measures. In this sense they’ve not aided their customers in protecting their data, rather they’ve done the opposite,” said Hart.

Hart also warned companies of collecting user data and sharing it with third parties in the age of GDPR.

“In the age of GDPR companies must realize that when they collect data they are responsible for it, regardless of whether they share it onwards or keep it themselves. It will be interesting to see whether litigation springs from this as I expect it might. In that case, the financial and reputational damage to Facebook might prompt them to ensure the companies they do business with are held to their own security standards. We can but dream…,” added Hart.


Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts