The Washington PostDemocracy Dies in Darkness

Millions of sensitive Facebook user records were left exposed on public web, security researchers say

April 3, 2019 at 10:43 p.m. EDT
Signage is displayed outside Facebook's headquarters in Menlo Park, Calif. (David Paul Morris/Bloomberg News)

More than 540 million Facebook records — including users’ comments, likes, account names and more — were left exposed by a third-party company on an Amazon cloud-computing server, researchers disclosed on Wednesday, marking the latest major privacy and security mishap to plague the social-networking giant.

The trove is one of two data sets discovered to be in full public view by the security firm UpGuard, which also raised alarms with an app developer that mishandled Facebook records that included users’ interests and potentially their app passwords.

Facebook said its policies prohibit app developers from “storing information in a public database,” adding in a statement Wednesday it has worked with Amazon to take them down. (Amazon founder and chief executive Jeff Bezos owns The Washington Post.)

“We are committed to working with the developers on our platform to protect people’s data,” Facebook said.

Facebook's fight against fake news has gone global

But the fact that such a vast, full cache of sensitive personal information could have been accessed by anyone online raises fresh questions about Facebook’s efforts to protect its users’ privacy. The report from UpGuard comes almost a year after revelations that Cambridge Analytica, a political consultancy, improperly accessed the personal data of 87 million Facebook users with the aid of a quiz app.

The exposure of Facebook’s data also illustrated a hard reality: Once accessed or obtained, personal data can live forever.

“All of the data passed from Facebook to literally millions of developers needs to be managed,” said Greg Pollock, a vice president at UpGuard. “I don’t know that Facebook can clean up the mess they’ve made. It’s an oil spill — that data is out there.”

The first set of records appear to belong to a Mexican media company, Cultura Colectiva, which improperly stored data about people’s friends, likes, photos, music, location check-ins and groups on a public Amazon server. Pollock said that UpGuard in January tried to notify the organization that its cache of Facebook information had been left open for anyone to download but ultimately received no reply.

The second set of mishandled Facebook records originated with a third-party app, called At The Pool, which ceased operation in 2014. Stored on Amazon was a trove of data that included names, email addresses and 22,000 users’ passwords, according to UpGuard, which could not say how long that information had been left exposed. The firm expressed concern that Facebook users who set the same password on multiple sites and services could be at the greatest risk.

Cultura Colectiva spokesman Daniel Peralta said in a statement that all the data provided to the company by Facebook was gathered from the fan pages the company manages as a publisher, which is “public, not sensitive, and available to all users who have access to Facebook.”

He added, “The UpGuard Cyber Risk team revealed that some of our datasets containing publicly available data were exposed, which included 540 million interactions such as likes, comments, and reactions. However, neither sensitive nor private data, like emails or passwords, were amongst those because we do not have access to that kind of data, so we did not put our users’ privacy and security at risk. We are aware of the potential uses of data in current times, so we have reinforced our security measures to protect the data and privacy of our Facebook fanpages’ users.”

Peralta did not respond to questions about when the company accessed the data and why passwords were found if the company did not have access to them.

At The Pool did not respond to a request for comment.

The revelations — first reported by Bloomberg — added to Facebook’s mounting privacy woes, which have triggered numerous investigations around the globe. In recent months, the company also has been faulted for leaving millions of users’ Facebook passwords stored in plain text.

At the same time, Facebook chief executive Mark Zuckerberg has embarked on a wholesale reimagining of the way users interact with each other on the social-networking site — and the data the company collects. On Saturday, he endorsed the broad contours of new regulation targeting the ways that tech giants tap consumers’ personal data.

Mark Zuckerberg: The Internet needs new rules. Let’s start in these four areas.

Before 2015, Facebook made it relatively easy for an outside developer to access the profiles of people who signed up for their services and also their friends — such permissions were abused by the academic developer working with Cambridge Analytica. It was unclear whether Cultura Colectiva accessed this data before 2015 or afterward, when Facebook put in place more stringent restrictions on developers.

After the Cambridge scandal broke in 2018, Facebook further restricted developer access and embarked on a wholesale review of third-party apps.