Published on April 3rd, 2019 📆 | 5788 Views ⚑0
App Developers Left 540 Million Facebook Users’ Records on the Public Internet
For your regular reminder that developers across the world sometimes have real trouble putting any sort of protection on their databases, third party apps left Facebook user data exposed to the open internet, according to cybersecurity firm UpGuard. Bloomberg was first to report the news.
The data exposures do not come from Facebook itself, but instead apps that have been given access or otherwise collected Facebook data and then stored it elsewhere. But the mishaps still show just how easily data from one service can end up exposed thanks to another.
The two exposures come from Mexican media company Cultura Colectiva and an app called “At the Pool,” UpGuard’s announcement reads. The former includes some 146 gigabytes of data and over 540 million records, such as Facebook users’ comments, likes, account names, and unique Facebook identifiers. The later includes passwords, but these credentials appear to be for the app and not for Facebook accounts themselves, UpGuard’s blog post adds.
Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on email@example.com, or email firstname.lastname@example.org.
UpGuard found both datasets on Amazon S3 buckets; data stores that developers commonly use for enterprise projects but sometimes without putting the need for authentication in place to access the data.
Both datasets are now secured, but in Cultura Colectiva’s case, only after Bloomberg reached out to Facebook for comment, UpGuard’s post reads.
Cultura Colectiva did not immediately respond to a request for comment.
The Lesson: Again, this breach wasn’t really from Facebook itself, but it does still highlight how third parties can mishandle Facebook user data. In general, if there is an app or service that you grant access to your Facebook or other sensitive account and no longer need it, consider closing your account. That may not guarantee your data is deleted, however, so maybe don’t grant access to some of your more important accounts in the first place.