Third Party Applications Exposed Over 540 Million Facebook Records
Scientists in the cyber security company UpGuard have discovered two troops of unprotected Facebook user data sitting on Amazon's servers, exposing hundreds of millions of records to users, including names, passwords, comments, interests, and likes. The datasets were uploaded to Amazon's cloud system by two different Facebook app developers.
This is just the latest proof that when Facebook shares data with third parties, it has no control over where the data ends or how safe it is stored. It was abundantly clear last year with the Cambridge Analytica scandal, when an academic university in Cambridge was able to gather tens of millions of Facebook users data without their knowledge, using a personality profiling quiz app. After the story made headlines, Facebook promised to shut down data access and to revise app developers who have ever had access to mass data. But UpGuard's findings illustrate the boundaries of Facebook's control over the information it has already given away. As the researchers put it in a blog post, the data gene cannot be put back in the bottle. "
According to UpGuard, one of the exposed databases belonged to a Mexican company, called Cultura Colectiva, which used Amazon Cloud Services to store about 1[ads1]46 gigabytes of data, including 540 million different records. UpGuard notified the company with exposure in early January, but received No answer. At the end of January, researchers were aware of Amazon, who again announced Cultura Colectiva again, but the database was not secured on Wednesday, UpGuard reports, after Bloomberg contacted Facebook about it.
Issie Lapowsky covers the cross between technology, politics and national issues for WIRED.
"Facebook's guidelines prohibit storing Facebook information in a public database. When we were aware of the problem, we worked with Amazon to take down the databases, "a Facebook spokesman said in a statement." We are committed to working with the developers on our platform to protect people's data. "
The second database belonged to an app called At the Pool. While the database on the pool was smaller, it also contained simple text user passwords for 22,000 users." The passwords are probably for the "At the Pool" app instead of the user's Facebook account, "writes UpGuard", but will put users at risk who have used the same password across accounts. "The database was taken down under UpGuard's reporting, and the researchers say it is unclear how long people's information was exposed. the Pool, appears to have closed in 2014.
Facebook's spokesman said the company continues to assess the extent of the information available and how people might have been affected, of course, this is exactly what Facebook promised to do after Cambridge Analytica has violated, in fact, the company has suspended hundreds of apps from the platform, and cited concerns about "how the information people chose to share with the app may have been b "But UpGuard's facts ask whether Facebook is investigating adequately how this information is stored by third parties. In the case of Cambridge Analytica, the researcher who collected the data deliberately sold it, which was a violation of Facebook's terms. But even a well-meaning app developer who naively fails to secure their data poses a serious threat to users' privacy.
"The surface to protect the data of Facebook users is thus large and heterogeneous, and the responsibility for Securing it lies with millions of app developers who have built on their platform," wrote the UpGuard researchers.
Recently, Facebook's CEO Mark Zuckerberg presented a plan for a new type of privacy-focused social network where all the messages are encrypted, and the content that people share is becoming increasingly ephemeral. "People will definitely want this because of what they do and what we see people doing in our products," he told WIRED. Still, he says, privacy will be the core of the decisions that govern Facebook's future. But as this data exposure shows, he can have trouble releasing the decisions Facebook has made in the past.
Updated 4-3-2019, 3:46 PM EDT: This story has been updated to clarify that UpGuard assumes that the simple text passwords discovered were related to At the Pool accounts, not the user's Facebook accounts.