US data firm Localbox leaks 48 million user profiles scraped from Facebook, Twitter and LinkedIn

Washington-based data firm LocalBlox has leaked personal profiles built off of data from different social media networks like Facebook without users' knowledge or express consent. The UpGuard Cyber Risk team said it discovered an improperly configured Amazon S3 cloud bucket without a password located at the subdomain "Ibdumps" on February 18, 2018.

The publicly available bucket contained 1.2 TB data of user profiles LocalBlox created by combining data from different social media sources such as Facebook, LinkedIn, Twitter and Zillow. UpGuard analysts state there were more than 48 million records of both businesses and individuals listed in the exposed database.

Facebook and Twitter hold a huge amount of users' personal data while LinkedIn includes users' professional data. Data from real-estate site Zillow was also roped in to create these consolidated user profiles. Researchers believe these profiles containing sensitive and personally identifiable information is highly coveted and targeted by hackers.

Ashfaq Rahman, co-founder of LocalBlox has confirmed that the exposed data belonged to them. They have ”data scrapped” user profiles without knowledge of the users and bundled them together to get a detailed picture of every user profiles for the purpose of targeted advertisements and political surveys. All the data collected was by scrapping the sites HTML code instead of using API’s which prevents mass scraping.

LocalBlox database works by tracking IP address and matching collected data to the same to IP address, which allows it to provide clear idea of the behaviour and background of the user at that IP address, UpGuard said. On their website, Localbox claims it has over 650 million records in its device ID database, and 180 million records in its mobile phone database. It also states it has a US voter database of 180 million citizens.

According to UpGuard, the data was found in a human-readable JSON file and included names, physical addresses, employment and job history data collected from Facebook, Twitter and LinkedIn profiles.

"This data highlights the ease with which Facebook data can be scraped, and the ubiquity of Facebook information in psychographic datasets," UpGuard stated. "According to their website, 'LocalBlox is the First Global Customer Intelligence Platform to search, combine and validate deep business and people profiles – at scale.' The exposed data wasn’t just a customer list, but the very product LocalBlox offers. Their value statements about the power of their data provide some insight into exactly why exposing such data is extremely dangerous."

The security firm notified LocalBox about the leak on 28 February and the bucket was reportedly secured hours later.

LocalBox's chief technology officer Ashfaq Rahman told ZDNet that "no other individual is believed to have access this file from the S3 bucket."

The incident comes just a month after the Facebook-Cambridge Analytica came to light in which London-based data firm Cambridge Analytica obtained data of nearly 87 million users. The latest data breach further puts Facebook and other social media firms' data collection practices under scrutiny.

Facebook, Twitter and LinkedIn have all previously stated their firm stance and rules against illegal data scraping of user information. However, security researchers state the incident highlights how this valuable information can be targeted by malicious actors, unbeknownst to users.

"In such cases, both a targeted website like Facebook and any affected users are being victimized, as personal information entrusted to the social network is snatched up for the benefit of a platform of which no one is aware," UpGuard stated.