"Facebook's policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with
to take down the databases. We are committed to working with the developers on our platform to protect people's data," a Facebook spokesperson said in a statement.
In the incident revealed Wednesday, the databases resided on Amazon cloud servers without any protection, and came from a Mexico-based media company called Cultura Colectiva, as well as another app, called At the Pool.
UpGuard said it notified Cultura Colectiva in January and hasn't received a response. The security researchers also reached out to Amazon to secure the database, and the retail giant did not take action. The database wasn't secured until Wednesday morning, when Bloomberg, which reported the story first, reached out to Facebook.
The exposed database for At the Pool contained data including photos, events and passwords, though UpGuard believes the passwords stored were for the app, not for Facebook accounts. Still, it contained 22,000 passwords in plain text, and people frequently reuse passwords for multiple apps.
It's unclear if any malicious actors accessed the open database before UpGuard discovered it, but the data left exposed to the public had a lot of potential for abuse, said Greg Pollock, UpGuard's vice president of product. "It gave you all the information that makes Facebook valuable," Pollock said. "There's millions of data points to profile people to understand how to market to them or deceive them."
The company behind At the Pool stopped operating in 2014, but the database was still available online for anyone who could find it.
The 146 gigabytes of data come from a time when Facebook was more permissive about the kinds of data third-party developers could gather from people on the social network. After Cambridge Analytica showed that developers could abuse this privilege and gather data on millions of people without their permission, Facebook promised to restrict developers' data access.
These exposed databases containing old data are essentially ghosts of Facebook's past coming back to haunt the company.
"Facebook had a period of time when it was very liberal with its data sharing," Pollock said. "It doesn't anymore, but all the data it shared with developers is still somewhere, and no one knows how they handled it." Facebook said it doesn't allow developers to store extracted data in public. So these exposed servers are like finding a needle in a haystack for the social media giant. Facebook wasn't aware of them until UpGuard's researchers notified the company.
"For Facebook to find all open databases storing data from Facebook, they would have to go through every open database, and there are millions of those," Pollock said.
Originally published April 3, 10:47 a.m. PT. Updates, 10:59 a.m.: Adds more details about the data exposure; 11:08 a.m.: Includes response from Facebook; 12:20 p.m.: Adds comments from UpGuard.