Millions of Facebook records were exposed on public Amazon server

Security researchers found the Facebook data on an unprotected server, including 22,000 passwords stored in plain text.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

The data came from two third-party Facebook apps.

James Martin/CNET

A treasure trove of Facebook data containing more than 540 million records was exposed online in a public database, security researchers from UpGuard said Wednesday.

The data contained extensive details, including people's comments, likes, names and Facebook IDs. It had been collected by two third-party Facebook apps. 

Read more: How to Delete Yourself from the Internet

"Facebook's policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data," a Facebook spokesperson said in a statement.

In the incident revealed Wednesday, the databases resided on Amazon cloud servers without any protection, and came from a Mexico-based media company called Cultura Colectiva, as well as another app, called At the Pool.

UpGuard said it notified Cultura Colectiva in January and hasn't received a response. The security researchers also reached out to Amazon to secure the database, and the retail giant did not take action. The database wasn't secured until Wednesday morning, when Bloomberg, which reported the story first, reached out to Facebook. 

Amazon didn't respond to a request for comment.

The massive social network has suffered multiple security lapses over the last month alone. It announced, for instance, that it had inadvertently stored passwords of hundreds of millions of people in plain text. It also was caught requesting people's passwords to their personal emails when they were signing up for new accounts, a verification method it had used for several years and stopped using this week.

Watch this: Keep your data secure with a password manager

Third-party apps continue to be a security concern for Facebook, as demonstrated by the Cambridge Analytica scandal last year.

The exposed database for At the Pool contained data including photos, events and passwords, though UpGuard believes the passwords stored were for the app, not for Facebook accounts. Still, it contained 22,000 passwords in plain text, and people frequently reuse passwords for multiple apps. 

It's unclear if any malicious actors accessed the open database before UpGuard discovered it, but the data left exposed to the public had a lot of potential for abuse, said Greg Pollock, UpGuard's vice president of product.
"It gave you all the information that makes Facebook valuable," Pollock said. "There's millions of data points to profile people to understand how to market to them or deceive them."

The company behind At the Pool stopped operating in 2014, but the database was still available online for anyone who could find it. 

The 146 gigabytes of data come from a time when Facebook was more permissive about the kinds of data third-party developers could gather from people on the social network. After Cambridge Analytica showed that developers could abuse this privilege and gather data on millions of people without their permission, Facebook promised to restrict developers' data access

These exposed databases containing old data are essentially ghosts of Facebook's past coming back to haunt the company.

"Facebook had a period of time when it was very liberal with its data sharing," Pollock said. "It doesn't anymore, but all the data it shared with developers is still somewhere, and no one knows how they handled it."
Facebook said it doesn't allow developers to store extracted data in public. So these exposed servers are like finding a needle in a haystack for the social media giant. Facebook wasn't aware of them until UpGuard's researchers notified the company. 

"For Facebook to find all open databases storing data from Facebook, they would have to go through every open database, and there are millions of those," Pollock said.

Originally published April 3, 10:47 a.m. PT.
Updates, 10:59 a.m.:
Adds more details about the data exposure; 11:08 a.m.: Includes response from Facebook; 12:20 p.m.: Adds comments from UpGuard.