Facebook Exposes Millions of Data Records…Wait for it… “Again”

By Dennis DiGiacomo

Facebook seems to be a glutton for punishment. Not even two weeks after it was learned that the popular social media site was storing user passwords in plaintext for years to be used by internal employees, user data is still showing up in unprotected places it shouldn’t be.

A recent article by WIRED reported that cybersecurity researchers discovered two caches of unprotected Facebook user data sitting on Amazon’s servers. This exposed hundreds of millions of records about users, including their names, passwords, comments, interests, and likes. The data sets were uploaded to Amazon’s cloud system by two different third-party app developers.

This recent evidence is proof that when Facebook shares its data with third parties, it truly has no control over where the data ends up or how it is securely stored. This comes about a year after the Cambridge Analytica fiasco made international headlines. In this scandal, one academic was able to collect tens of millions of Facebook users’ data without their knowledge using a personality profiling quiz. After the story was aired, Facebook vowed to crack down on data access and to audit app developers that had access to large volumes of user data. These findings reveal the absolute limits of the popular social media application’s control over information it has already given away.

One of the largest databases in this exposure belonged to a Mexican company named Cultura Colectiva. They used Amazon cloud services to store around 146 GB of data that included 540 million individually different records. The researchers who discovered the exposure alerted the company in early January but received no response. At the end of January, the researchers reached out to Amazon which then alerted Cultura Colectiva once again. This database was not secured until Wednesday according to Bloomberg (Who contacted Facebook about it).

Facebook stated that once they were alerted to the issue, they worked with Amazon to take down the databases… “We are committed to working with the developers on our platform to protect people’s data.”

The other major database in the exposure belonged to the app “At the Pool” which had uploaded a significantly smaller database than the other developer. This vulnerable data set contained the plaintext user passwords for 22,000 users. Researchers note that the passwords are presumably for the app and not for the user’s Facebook account. Griffon Force believes, as many do, that this could be particularly troubling since many individuals use the same passwords across multiple accounts. Many even secure their Facebook with the same password they use to protect their bank account(s).

Researchers do not know how long the “At the Pool” database was exposed for. It was taken down during their reporting. The app, “At the Pool” appeared to have shut down in 2014.

Groundhog Day…Again

Facebook said that there company continues to assess the extent of the information that was available and how it may have impacted people. This statement mimics precisely what Facebook promised after the Cambridge Analytica breach. To be fair, the company has suspended hundreds of apps from the platform, but the latest findings raise concerns about whether Facebook is truly performing adequate investigations into how information is being stored by third parties.

Security researchers at UpGuard, who originally discovered the breach, wrote that, “The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”

What should you do?

As we usually do when any data issues arise in which usernames and passwords are exposed, Griffon Force recommends that you change your password/passphrase immediately if you believe you were or would be affected by the breach.

When building a strong password/passphrase use lower and uppercase letters, numbers, and special characters like symbols making it 10-20 or more characters long. Additionally, ensure that you are not associating your passwords with personal information about yourself (i.e. dog’s name, street you lived on, mother’s maiden name, initials, etc.).

Always be aware of who you share information with and don’t become susceptible to personal information stealing scams.

Written by Dennis DiGiacomo

Related Articles

Griffon Force Academy Pre-Launch

Griffon Force Academy Pre-Launch

Last week Capital One announced a data breach impacting over 100 million consumers. We have received numerous calls from consumers and media asking what those impacted should do.  What if you didn’t have to worry about the next big data breach? What if you could take...

read more

Stay Up to Date With The Latest News & Updates

Already a victim?

Griffon Force can help. We work with identity theft (businesses and consumers) and fraud victims.

Get help today 

Call (239) 325-5155

Join Our Newsletter

Each month you will receive articles just like this in your inbox.

Follow Us