Security researchers report that third-party developed Facebook app datasets have been found exposed to the public internet.
The first dataset, according to the UpGuard Cyber Risk team, comes from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more.
A separate backup from a Facebook-integrated app titled “At the Pool” was also found exposed to the public internet via an Amazon S3 bucket. This database backup contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more. The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts.
The researchers says that the At the Pool discovery is not as large as the Cultura Colectiva dataset, but it contains plaintext (i.e. unprotected) Facebook passwords for 22,000 users. At the Pool ceased operation in 2014. This should offer little consolation to the app’s end users whose names, passwords, email addresses, Facebook IDs, and other details were openly exposed for an unknown period of time.
Each of the data sets was stored in its own Amazon S3 bucket configured to allow public download of files.
Both data sets contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers. As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle.
With regard to the Cultura Colectiva data, thge researchers notified Cultura Colectiva on January 10th, 2019 and then later on January 14th, but thet received no repsonse. The company then notified Amazon Web Services of the situation on January 28th. AWS responded on February 1st saying that the bucket’s owner was made aware of the exposure.
On April 3rd, 2019, Facebook was contacted by Bloomberg for comment, and soon the database backup, inside an AWS S3 storage bucket titled “cc-datalake,” was secured.