In what has become a depressingly common refrain for the social network behemoth, Facebook user data has once again been left exposed to the public. According to researchers at security firm UpGuard, the first of the two data sets originates from Mexico-based media publisher Cultura Colectiva, weighing in at over 146 gigabytes and featuring over 540 million records, including Facebook IDs, comments, likes, and reactions.
The second data set, sourced from a Facebook app called “At the Pool”, was just a fraction of the size as the Cultura set, but contained more critical information, including plaintext Facebook passwords for over 22,000 users. Scariest of all, both data sets were stored in Amazon cloud storage buckets that allowed public downloads.
As UpGuard points out, despite the fact that Facebook has promised a renewed sense of urgency regarding its user’s data, especially following the catastrophic Cambridge Analytica leak last year, there is only so much that the company can control at this point. While it may be able to prevent or limit new leaks like this from happening in the future, the “At the Pool” app shut down in 2014, and yet the data was floating around online for years.
“Facebook’s policies prohibit storing Facebook information in a public database,” a Facebook spokesperson said after the UpGuard story came to light. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
While there are bad actors out there who will expose private information and account records intentionally, both of these incidents appear to be accidental. Nevertheless, the sheer amount of data that Facebook has handed out to third parties over the years is virtually incalculable, and it would be a shock if this was the last discovery of exposed Facebook user data that has been publicly accessible for months or even years.
“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the UpGuard researchers explain in their report. “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”