Giant trove of Facebook user data was in open AWS S3 bucket

It looks like the 540 million records may in fact be an aggregate of all the "comments, likes, reactions, account names, Facebook IDs and more", as UpGuard described it, pertaining to every comment ever made on any Cultura Colectiva story.

According to a report by security firm UpGuard, more than 500 million Facebook users had their personal data exposed on the public servers of Amazon by app developers. While this was much smaller, containing information on 22,000 users, it contained more sensitive information, including friends lists, interests, photos, group memberships and check-ins.

Though the firm speculates the passwords are not of Facebook, but "At the pool" account of users, people who tend to use the same passwords across their multiple social media accounts may have been exposed.

'The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform'.

For the last two years, the negative publicity on how Facebook partners collect, share, and secure data has skyrocketed.

"We worked to get the databases in question taken down, but we are still investigating exactly what information was stored there", a Facebook spokeswoman said, adding that the company's policies prohibit storing user information in a public database. That database was closed on Wednesday after Bloomberg alerted Facebook to the problem and Facebook contacted Amazon. UpGuard said that it first reached out to Cultura Colective on January 10th of this year and followed up with a second email on January 14th.

Another dataset, sourced from a Facebook-integrated app known as "At the Pool", was also found via an Amazon S3 bucket.

After the Cambridge scandal broke in 2018, Facebook further restricted developer access and embarked on a wholesale review of third-party apps. "The password is simply no longer enough to provide a sufficient level of security in today's threat landscape".

Still, UpGuard's findings reveal how Facebook partners collect massive amounts of data with their own apps. When it didn't receive a response, it emailed Amazon Web Services (AWS) on January 28 and then again on February 21, as the data remained accessible.

Redacted example of data from the exposed Cultura Colectiva dataset. The At The Pool data set, on the other hand, was miraculously pulled offline shortly after UpGuard discovered it. It shows that a lack of respect towards private data is an industry problem and not just something Facebook alone is at fault for.