More than 500 million personal Facebook records exposed on Amazon Cloud

UPDATE: Facebook's huge collection of data 'is in the hands of potentially thousands of third parties all over the world', analyst tells The National

FILE - In this Jan. 9, 2019, file photo, media and guests mingle before a tour of Facebook's new 130,000-square-foot offices, which occupy the top three floors of a 10-story Cambridge, Mass., building. Security researchers have uncovered more instances of Facebook user data being publicly exposed on the internet, further underscoring its struggles as it deals with a slew of privacy and other problems. (AP Photo/Elise Amendola, File)
Powered by automated translation

In the latest incident highlighting Facebook’s apparently casual approach to mass data collection, the company has once again been caught on the wrong foot.

Personal data of millions of Facebook users was found lying on public servers, according to a report released on Wednesday by California-headquartered cybersecurity firm UpGuard.

Cyber experts say it looks like Facebook does not have enforced guidelines when it comes to how its partners handle cybersecurity.

"Seems like every other week a security issue is discovered in the Facebook ecosystem," Renaud Deraison, co-founder and CTO of cyber exposure specialists Tenable, told The National.

"Facebook is giving third-party app developers access to user data. That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world," Mr Renaud said.

Two third-party Facebook app developers - Mexico-based digital media company Cultura Colectiva and California-based app maker At The Pool - had stored the data on Amazon's public servers and it was accessible and could be downloaded by the public, said the report.

The data included confidential information related to Facebook users’ passwords, comments, account names, "likes" and recent activities. There were over 540 million individual records of personal data.

The discovery shows that a year after the Cambridge Analytica scandal exposed how unsecure and widely disseminated Facebook users’ information is online, companies that control that information at every step still haven’t done enough to seal up private data.

"App developers are focused mainly on bringing new offerings to market quickly - it's what consumers have come to expect. It looks like Facebook doesn't have enforced guidelines when it comes to how its partners handle cybersecurity," Mr Renaud told The National.

"As long as cybersecurity remains an afterthought in the digital economy, we'll continue to see these kinds of easily preventable data leaks."

UpGuard said one of the companies stored 146 gigabytes of data but the exact number of users whose data was included is not yet clear.

Security researcher Chris Vickery, who discovered the millions of records from Facebook users sitting unsecured on a public database, said he tried for weeks to get Amazon.com, owner of the servers where the data were stored, to take it down.

“We’re looking into the situation and assessing any extra steps we can take,” came the response from Amazon security staff on February 21 - three weeks after Mr Vickery initially brought the data exposure to Amazon’s attention - according to Bloomberg.

“Companies like Amazon Web Services push a narrative of a shared responsibility model, where they’re responsible for the hardware,” he said. “And then it’s up to the ones who are paying to store the data to correctly configure their storage instances to make sure anyone on the internet can’t access it.”

Facebook said it worked with Amazon to take down the database. It’s unclear whether Amazon pulled the plug itself, or persuaded Cultura Colectiva to take the files offline.

Future Beat

Your round-up of the stories shaping tomorrow’s world

Future Beat