Over 50 crore Facebook user records, including passwords, exposed online
After exposing data of millions in the infamous Cambridge Analytica scandal and the September 2018 data breach, Facebook is again facing flak for its data stewardship practices. This time, the criticism stems from a humongous trove of Facebook user data that has been found on a publicly accessible server. It had over 50 crore user records, including thousands of passwords. Here are the details.
Two datasets found on Amazon cloud servers
In a recent report, cybersecurity risk assessment firm UpGuard discovered two datasets containing Facebook user information on Amazon's publicly visible cloud servers. Both batches came from third-party app developers and had personally-identifiable information about Facebook users. It is not exactly clear who posted the data or how long it was available, but anyone knowing where to look could have easily accessed it.
First batch had over 540 million records
While UpGuard's report doesn't reveal the number of impacted users, it claims one of the datasets, coming from a company called Cultura Colectiva, had over 540 million records. The batch, weighing 146GB, had information like user comments, likes, reactions, account names, IDs and more. To recall, this is the same kind of data that had created problems for Facebook in the Cambridge Analytica scandal.
Second batch had text passwords
If the first batch compromised user account information and activity, the second revealed passwords, and that too in plain text. UpGuard says the second dataset came from a now-shuttered Facebook app called "At the Pool" and compromised unencrypted passwords of some 22,000 users. Plus, it also had information about users' emails, friends, likes, groups, interests, and check-in locations.
Nature of passwords still unclear
It's unclear if the passwords compromised in the datasets were used for the app or Facebook accounts in question. But, either way, they pose a serious risk as unprotected passwords can easily be used to compromise a user if they use them across accounts.
What Facebook says on the matter
After the issue got flagged, both publicly visible datasets were pulled from Amazon's servers. "Facebook's policies prohibit storing Facebook information in a public database," a spokesperson for the company said in a statement. "Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data."
Now, this makes another bad case for Facebook
As of now, it remains unclear if these datasets were accessed by anyone. UpGuard says Cultura Colectiva has been contacted about the breach, but the organization has not responded to any of their emails. Yes, the breach comes from the developers' end but the matter still raises questions on Facebook, especially how it handles user data and how far already-leaked information has traveled.
