Facebook users’ data leaked through Amazon Web Services
The data exposed in each of these sets does not exist without Facebook, yet it is not under Facebook’s control.
Third-party applications continue to be an extensive security concern for Facebook. UpGuard, a cybersecurity firm, discovered that two third-party application datasets were exposed to the internet.
The first dataset originates from a Mexico-based media company called Cultura Colectiva. This set contains 540 million records that account for 146 gigabytes. Comments, likes, reactions, account names, and Facebook IDs are some of the particulars present in the dataset.
The second dataset contains a separate backup from a Facebook-integrated application called “At the Pool”. The information stored was exposed through an Amazon S3 bucket – a storage service by Amazon Web Services (AWS). This dataset contained columns that had user IDs, Friends list, interests, check-ins, passwords, etc and allowed public download of files.
The At the Pool dataset is not as large as the Cultura Colectiva dataset but is definitely more concerning than the latter. It contained 22,000 unprotected passwords. At the Pool ended operations in 2014. The period of time for which the details were exposed is unknown.
Both the sets vary in date of updation, data presented, and the number of unique IDs affected. Yet, the common domain for the sets are data on Facebook users, describing their interests, relationships, and interactions that were available to third-party developers.
The UpGuard reported highlighted the problems of storage technologies that were misconfigured for public access. The result continues to affect users whose data is constantly leaked.
What was the response?
UpGuard sent the first notification email to Cultura Colectiva on 10 January 2019. The second one was sent on 14 January 2019. The report said, “To this day there has been no response.”
The cybersecurity firm notified AWS of the breach on 28 January 2019. AWS responded on 1 February 2019 that the owner was made aware of the exposure. The firm sent another email to AWS after releasing on 21 February that the data was still not secure. “AWS again responded on that same day stating they would look into further potential ways to handle the situation,” reported UpGuard.
On 3 April 2019, when Bloomberg contacted Facebook, one of the datasets inside the AWS S3 storage bucket was secured. Data from At the Pool was taken offline when UpGuard was looking into the likely data origin.
“It is unknown if this is a coincidence, if there was a hosting period lapse, or if a responsible party became aware of the exposure at that time. Regardless, the application is no longer active and all signs point to its parent company having shut down,” said UpGuard researchers in the report.
The solution is not here
Tech giants who store mass information are inevitably putting their users at risk. Leaving data behind in old storage locations is not giving the problem the attention it needs.
The app developers on Facebook look forward to data generated on Facebook users. For third-party applications like Cultura Colectiva, data on responses to each post allows them to create algorithms that predict future content and generation of traffic.
“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control.”
Facebook promised to restrict developers’ data access after the Cambridge Analytica scandal last year. It showed that developers can abuse the data they have collected on millions of people without their permission. Facebook now offers rewards for researchers who identify problems with its third-party applications.
The UpGuard report shows that Facebook as a platform has facilitated data collection on individuals and transferred it to third parties who were in charge of security. The responsibility now solely lies in the hands of millions of app developers—who have built applications on the platform—for securing the data.