Wikimedia Commons (CC-BY)

540 million Facebook user records left exposed online

Third-party developers failed to secure servers holding private data.


Mikael Thalen


Posted on Apr 3, 2019   Updated on May 20, 2021, 3:42 pm CDT

Cybersecurity researchers revealed Wednesday that data on hundreds of millions of Facebook users was left exposed online.

According to a blog post from UpGuard, a California-based cybersecurity firm, two publicly assessable servers were found to contain information on more than 540 million Facebook users.

The first and most substantial dataset comes from Mexican media company Cultura Colectiva, which left 540 million “comments, likes, reactions, account names, FB IDs and more” on an unsecured Amazon Simple Storage Service (S3) bucket.

The second unprotected server, belonging to a Facebook-integrated app known as “At the Pool,” was found to be storing data on over 22,000 users, including everything from passwords to Facebook check-ins. Although the passwords are believed to be for the app itself and not Facebook, UpGuard notes that the security lapse “would put users at risk who have reused the same password across accounts.”

UpGuard says despite contacting Cultura Colectiva to request the data be protected or removed, the company failed to reply. Even after contacting Amazon, Cultura Colectiva’s server was still left exposed. After Facebook became aware of the issue nearly three months later, the S3 bucket was secured.

The information stored by the “At the Pool” app was taken offline before UpGuard could alert the company.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” UpGuard notes. “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security.”

The incident highlights the inherent security and privacy issues related to Facebook’s policy of sharing data with third-party developers. The discovery also comes amid attempts by Facebook to paint itself as a privacy-conscience company after months of data scandals.


H/T TechCrunch

Share this article
*First Published: Apr 3, 2019, 4:00 pm CDT