Wed, 17 Apr, 2019
Millions of Facebook user records exposed in data breach
Researchers at the cybersecurity firm UpGuard have said that they’ve discovered the existence of two datasets that contain the personal data of hundreds of millions of Facebook users.
Both datasets were publicly accessible.
UpGuard explained in a blog post how they connected the databases. They connected the first one to a Mexico-based media company called Cultura Colectiva, which contained over 146GB of data. This amounts to over 540 million Facebook user records.
The user records include comments, likes, reactions, account names, Facebook user IDS and much more.
The second leak was connected to an app that was integrated with Facebook called “At the pool” and had exposed around 22,000 passwords.
“The passwords are presumably for the ‘At the Pool’ app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts,” UpGuard said.
The second database contained information about users’ friends, likes, groups and locations where they checked in using the app.
Both datasets were stored in unsecured Amazon S3 buckets and could have been accessed by anyone. Neither bucket was password protected, but since UpGuard have reported on the breach, they have either been taken offline or made more secure.
UpGuard explained the difference in the datasets: “The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each.
“What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers.”
UpGuard then added: “As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”
Facebook were quick to work with Amazon to take down the databases and release a statement saying that they’ve done so:
“Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
However, the damage has already been done.
UpGuard has warned users of the app to change their passwords and say that the breach “puts users at risk who have reused the same password across accounts.
Have you been impacted by the breach? Let us know in the comments.