540 million Facebook account records found on unprotected AWS S3 buckets

Facebook data dump found by security researchers on unprotected AWS instances

Facebook user data has been found publicly accessible on AWS, a new report from security researchers says.

Cybersecurity firm UpGuard said it found more than 540 million records – including account names, comments and likes – had been stored publicly on AWS S3 buckets by two different third-party apps.

The incident is the latest in a string of privacy failures to hit the social networking giant, as it faces continued scrutiny over its management of user data and its privacy controls.

Facebook said it had taken down the databases once it was made aware of them.

“Facebook’s policies prohibit storing Facebook information in a public database,” a company spokeswoman said in a statement.

“Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

The company confirmed it was continuing to investigate the incident.

Que S3ra S3ra

The first database was from a Mexico-based media company called Cultura Colectiva and included user names, comments, likes, reactions, account names and more. The second came from an app called At The Pool, although this only made 20,000 account details available, the data also included plain-text passwords.

The incident is the latest in a growing catalogue of data issues for the company, following widespread incidents of misinformation being spread on the network, breaches of user data and allegations of political manipulation.

In October last year, Facebook also revealed millions of email addresses, phone numbers and other personal user information were compromised during a security breach, affecting as many as 50 million accounts.

Last month, the company also admitted that millions of Facebook, Facebook Lite and some Instagram users had their passwords stored in plain text, leaving the accounts in question at risk.

Numerous uncontrolled backups

Cybersecurity expert Ilia Kolochenko, chief executive of online security firm High-Tech Bridge, said Facebook’s problem was the amount of data it reportedly shared with third parties meant it was losing the ability to stop such leaks.

“The reported leak is actually not that dramatic: the 540 million record database contains mostly publicly accessible data, while the second database with passwords in plain text contains just 22,000 records – a drop in the ocean of leaked credentials in 2018,” he said.

“The real problem is that most of the data – reportedly shared by Facebook with its partners – still remains somewhere, with numerous uncontrolled backups and unauthorised copies, some of which are being sold on the black market already.

“It is impossible to control this data, and users’ privacy is at huge risk. Even if they change their passwords, other data such as private messages, for example, or search history – will remain affixed somewhere and often in hands of unscrupulous third parties.”