Another huge Facebook security blunder exposes data of millions

Though we're now a year out from the massive Cambridge Analytica Facebook scandal, we're being reminded of it today with two more instances of third-party Facebook apps mishandling user data. Both of these apps stored data collected from Facebook users in publicly accessible Amazon S3 libraries, and though it's difficult to get a handle on how many users had their data exposed, it's likely that the number stretches well into the millions.

The first instance of exposed user data falls on Cultura Colective, a media company based in Mexico City. The company stored a whopping 540 million records on Facebook users, totaling 146GB of data that included everything from comments and likes to account names and Facebook IDs. The second instance is the work of the Facebook-integrated app At the Pool, which published plain text data on 22,000 Facebook users to a public Amazon S3 bucket.

This includes passwords to the At the Pool app, security company UpGuard wrote in a report today. While that may not inherently put Facebook users at risk, it's bad news for anyone who happened to use the same password for At the Pool and anything else, including Facebook – a practice that is still unfortunately all too common among internet users.

Both of these Amazon S3 buckets had public downloads enabled, so all it would have taken is for someone with less-than-honest intentions to stumble upon those libraries for that data to fall into the wrong hands. UpGuard writes that the dataset from At the Pool – which hasn't been active since 2014 – was actually taken offline as it was crafting today's report, so that particular issue ended up resolving itself.

In the case of the data compromised by Cultura Colective, it sounds like getting anyone to care about the fact that this was all out in the open was an odyssey in itself. UpGuard said that it first reached out to Cultura Colective on January 10th of this year and followed up with a second email on January 14th. Despite its efforts, it still hasn't heard back from the company.

Realizing that for the dead end it was, UpGuard instead reached out to Amazon on January 28th and received a reply on February 1st, which noted that the owner of the bucket had been made aware of the issue. Later on that month, when the library still hadn't been taken offline, UpGuard contacted Amazon again and received a reply that said AWS would look into a potential solution on its own.

Fast forward to today and that S3 bucket was still publicly accessible. It wasn't until the folks at Bloomberg reached out to Facebook earlier today that the problem was taken care of, with that library now secured.

Even though that once-public data is now properly secured, this isn't a good look for Facebook. "These two situations speak to the inherent problem of mass information collection: the data doesn't naturally go away, and a derelict storage location may or may not be given the attention it requires," UpGuard wrote today, adding that even though Mark Zuckerberg committed last year to better locking down Facebook, data on its users has already "been spread far beyond the bounds of what Facebook can control today."