Skip to main content

In latest blow to Facebook, 540 million user records exposed by third-party apps

Image used with permission by copyright holder

In the latest privacy blow for Facebook, the information of up to 540 million users — including passwords, comments, likes, and Facebook IDs — were left by app developers on publicly visible Amazon cloud servers. That’s according to a report from the security firm UpGuard, which initially discovered the two datasets of Facebook user information.

Though the information on the servers was eventually removed once Facebook was contacted, it is not known how long the data was available to the public — or who may have accessed it. According to UpGuard, there are two specific data sets that contained user information. One set which comes from the Mexican media company, Cultra Collectiva, weighed in at 146GB and contained the personal information of 540 million Facebook users. The second data set, which traces back to a Facebook app going by the name of “At the Pool,” was also found in a public Amazon S3 server. This data set is smaller than Cultra Collectiva’s but contained the passwords for 22,000 users. It also contained sensitive information such as Facebook likes and check-ins.

“The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third-party developers,” UpGuard said.

Facebook and Amazon worked to take down databases, but not before the damage was done. “Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data,” said Facebook in a statement.

Though there remains the possibility that these app developers could have inadvertently placed the information on public servers, it serves as a reminder that Facebook data is not always private. Previously, in December 2018, an API bug exposed the private photos of up to 6.8 million Facebook users to third-party apps. Facebook had also faced criticism following the fallout of the Cambridge Analytica scandal and promised to reduce the number of apps that have access to user data.

Editors' Recommendations

Arif Bacchus
Arif Bacchus is a native New Yorker and a fan of all things technology. Arif works as a freelance writer at Digital Trends…
Facebook faces another huge data leak affecting 267 million users
mark zuckerberg speaking in front of giant digital lock

More than 267 million Facebook users’ IDs, phone numbers, and names were exposed to an online database that could potentially be used for spam and phishing campaigns. 

Security researcher Bob Diachenko uncovered the database, according to Comparitech. The database was first indexed on December 4, but as of today, December 19, it is unavailable. Comparitech reports that before the site was taken down, the database was found on a hacker forum as a downloadable file. 

Read more
Documents show Facebook used user data as bargaining chip against competitors
mark zuckerberg speaking in front of giant digital lock

Leaked documents show that Facebook used user data as a bargaining chip with its advertising partners and leveraged the data against its competitors. 

NBC News first reported on the confidential documents in April that contained Facebook’s internal communications from 2011-2015 as part of an ongoing lawsuit. The newly leaked documents — about 7,000 pages in total — shed light on how CEO Mark Zuckerberg used users’ data as leverage for company partnerships.

Read more
Third-party devs improperly accessed some Facebook groups’ private data
facebook independent oversight board mark zuckerberg  viva tech start up

Facebook is yet again at the center of a user privacy mishap. In a blog post, its head of platform partnerships, Konstantinos Papamiltiadis, revealed that about 100 third-party app developers had improper access to personal data of several groups’ members despite the fact that the social network overhauled its APIs to prevent this exact behavior last year.

Before the alterations to the Groups system, Facebook allowed outside developers to extract information of a group’s members such as their profile pictures, names, and more. All they needed was a green light from the group's admin. However, in the wake of the Cambridge Analytica scandal, the company rolled out an update that restricted the third-party access to the group’s name, the number of users, and posts’ content, and made giving up their private data optional for members.

Read more