Application security, Breach, Data Security, Security Strategy, Plan, Budget

540M Facebook member records exposed by an unsecure AWS S3 bucket

Upguard is reporting it found more than 540 million records from two Facebook app providers on two unprotected Amazon S3 buckets.

The exposed information is from the Mexican media firm Cultura Colectiva and a now defunct Facebook-integrated app called “At the Pool."

The Cultura Colectiva dataset contained 146GB of data with 540 million records showing comments, likes, reactions, account names, Facebook IDs and more, Upguard wrote. The At the Pool server had a database backup containing 22,000 records listing fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests and password, although Upguard believes the password is for the app, not the person Facebook password.

The At the Pool app ceased operating in 2014.

“Each of the data sets was stored in its own Amazon S3 bucket configured to allow public download of files,” Upguard wrote, adding that while the two sets contained somewhat different pieces of information they both contain data about Facebook users, describing their interests, relationships, and interactions that were available to third party developers.

Upguard said it notified Cultura Colectiva on January 10 and 14 and did not receive a response. With the data still visible on February 1 the security firm then notified Amazon Web Services, which immediately responded that it would contact the owner. However, on February 21 the data was still visible so Upguard sent another email to AWS. Amazon said it would look into the situation, but the database was not locked down until April 3.

At the Pool's server was taken down just as Upguard was deciphering ownership.

"Facebook's policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data," a Facebook spokesperson told SC Media.

“These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires,” Upguard said.

While this case does not have the same big picture implications as the infamous Cambridge Analytica case where the firm used the private information of 50 million Facebook users without their permission for electoral purposes, it is does serve as another spotlight shining into the darkest corners revealing how Facebook handles data.

“For years, Facebook allowed third-party app developers to access the Facebook data of anyone who logged in with their Facebook accounts, including the basic profile information of everyone on each user's friends list. Although Facebook has rules about how that data can be used and stored, there's little means of Facebook actually enforcing those policies until after some damage has been done,” Paul Bischoff, privacy advocate at Comparitech.com.

At the Pool’s status of being out of business is an additional obstacle Facebook, the victims and users need to learn how to avoid. Rod Simmons, vice president of product strategy at STEALTHbits Technologies, said end users need to understand the permissions they are granting when downloading an app and attempt to ensure the developer can be trusted to handle the data.

Simmons also noted it’s hard to collect a penalty from a defunct company, but there are other options.

“If you have financial penalties they only mean something for a company in business. In this situation 22,000 records were lost and the company is out of business so there is no fine that can be paid by a bankrupt company. Jail time however is a penalty an executive cannot escape just because they go out of business,” he said.

Even though Facebook is the poster child for lax data practices at this moment, said Mukul Kumar, CISO and VP of Cyber Practice at Cavirin, and other large firms will almost certainly become involved in a similar situation, he believes there are some prophylactic moves that should be made.

“Two half-fixes. Facebook and others need to go through their records, and reach out to their various partners to secure any customer data. Given that some of these partners may not have the expertise or may no longer exist, Facebook may need to work directly with the public cloud providers, and if they don’t take the initiative, the government should intervene,” he said.

Facebook needs to make privacy a core and create a senior post that will own the issue along with a strong staff and corporately back it, said Sam Curry, chief security officer at Cybereason.

"Call in independent advisors and observers. Then take 30 days to create and publish a plan in place to fix what’s broken at home and to simultaneously champion and promote privacy to chart a course for the industry.," Curry added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.