By Dennis DiGiacomo
Facebook seems to be a glutton for punishment. Not even two weeks after it was learned that the popular social media site was storing user passwords in plaintext for years to be used by internal employees, user data is still showing up in unprotected places it shouldn’t be.
A recent article by WIRED reported that cybersecurity researchers discovered two caches of unprotected Facebook user data sitting on Amazon’s servers. This exposed hundreds of millions of records about users, including their names, passwords, comments, interests, and likes. The data sets were uploaded to Amazon’s cloud system by two different third-party app developers.
This recent evidence is proof that when Facebook shares its data with third parties, it truly has no control over where the data ends up or how it is securely stored. This comes about a year after the Cambridge Analytica fiasco made international headlines. In this scandal, one academic was able to collect tens of millions of Facebook users’ data without their knowledge using a personality profiling quiz. After the story was aired, Facebook vowed to crack down on data access and to audit app developers that had access to large volumes of user data. These findings reveal the absolute limits of the popular social media application’s control over information it has already given away.
One of the largest databases in this exposure belonged to a Mexican company named Cultura Colectiva. They used Amazon cloud services to store around 146 GB of data that included 540 million individually different records. The researchers who discovered the exposure alerted the company in early January but received no response. At the end of January, the researchers reached out to Amazon which then alerted Cultura Colectiva once again. This database was not secured until Wednesday according to Bloomberg (Who contacted Facebook about it).
Facebook stated that once they were alerted to the issue, they worked with Amazon to take down the databases… “We are committed to working with the developers on our platform to protect people’s data.”
The other major database in the exposure belonged to the app “At the Pool” which had uploaded a significantly smaller database than the other developer. This vulnerable data set contained the plaintext user passwords for 22,000 users. Researchers note that the passwords are presumably for the app and not for the user’s Facebook account. Griffon Force believes, as many do, that this could be particularly troubling since many individuals use the same passwords across multiple accounts. Many even secure their Facebook with the same password they use to protect their bank account(s).
Researchers do not know how long the “At the Pool” database was exposed for. It was taken down during their reporting. The app, “At the Pool” appeared to have shut down in 2014.
Facebook said that there company continues to assess the extent of the information that was available and how it may have impacted people. This statement mimics precisely what Facebook promised after the Cambridge Analytica breach. To be fair, the company has suspended hundreds of apps from the platform, but the latest findings raise concerns about whether Facebook is truly performing adequate investigations into how information is being stored by third parties.
Security researchers at UpGuard, who originally discovered the breach, wrote that, “The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”
What should you do?
As we usually do when any data issues arise in which usernames and passwords are exposed, Griffon Force recommends that you change your password/passphrase immediately if you believe you were or would be affected by the breach.
When building a strong password/passphrase use lower and uppercase letters, numbers, and special characters like symbols making it 10-20 or more characters long. Additionally, ensure that you are not associating your passwords with personal information about yourself (i.e. dog’s name, street you lived on, mother’s maiden name, initials, etc.).
Always be aware of who you share information with and don’t become susceptible to personal information stealing scams.
Security questions are another form of identity verification used by financial institutions and other organizations. The increase in fraud and identity theft has prompted these companies to implement additional security in an attempt to distinguish you from an imposter. But do they work?read more
Staying connected while traveling is easier than ever. Smartphones, wifi, and Bluetooth are just a few of the tools that enable us to remain connected with friends, family, and work from almost anywhere in the world. But these tools could also put you at risk for identity theft.read more
Carrie Kerskie, CEO of Griffon Force, was quoted in the Huffington Post article on how to tell if there is a hidden camera in your Airbnb.read more
Stay Up to Date With The Latest News & Updates
Already a victim?
Griffon Force can help. We work with identity theft (businesses and consumers) and fraud victims.
Get help today
Call (239) 325-5155
Join Our Newsletter
Each month you will receive articles just like this in your inbox.