Almost 540 million Facebook user records left exposed on Amazon cloud servers

• The first AWS server belonging to Cultura Colectiva stored Facebook records such as users’ account names, Facebook IDs, comments, likes, and more.
• The second server stored Facebook records such as users’ Facebook ID, list of Facebook friends, likes, photos, groups, checkins, and user preferences like movies, music, books, and interests.

What is the issue - Researchers from UpGuard uncovered two misconfigured Amazon cloud servers belonging to third-party companies that contained over 540 million Facebook user records.

The first AWS server

• The first AWS S3 storage bucket belonged to a Mexican-based company named ‘Cultura Colectiva’.
• This server was 146GB sized and stored almost 540 million Facebook user records.
• The exposed Facebook records include users’ account names, Facebook IDs, comments, likes, and more.

Upon discovering the leaky server, UpGaurd contacted Cultura Colectiva twice but received no response. Later, they notified Amazon Web Services about the unprotected server and received a response that the owner of the server has been made aware. However, the server was not secured.

UpGuard then notified Bloomberg about the issue, who in turn contacted Facebook for comment. It was then the server was finally secured after almost 3 months.

The second AWS server

• The second AWS S3 storage bucket belonged to ‘At the Pool’ Facebook game.
• This storage bucket stored Facebook records such as users’ Facebook ID, list of Facebook friends, likes, photos, groups, checkins, and user preferences like movies, music, books, and interests.
• The leaky server also contained passwords in plain text for almost 22,000 users.

“The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts,” researchers said.

The server belonging to ‘At the Pool' had been secured even before UpGaurd sent a formal notification email.

The bottom line

Despite Facebook having best of cyber-security experts and security-related features, date leaks related to Facebook occurs every other day. Even though data exposed by third-parties is beyond Facebook’s control, Facebook and the third-party app developers on Facebook should jointly take responsibility and work towards protecting users’ private data.