According to a report from UpGuard, over 540 million Facebook users had their personal data exposed by third party app developers.
One dataset, originating from the Mexico-based media company Cultura Colectiva, measures a whole 146 gigabytes. The dataset contains over 540 million records detailing users’ comments, likes, reactions, account names, Facebook IDs, and more.
Another dataset, sourced from a Facebook-integrated app known as “At the Pool”, was also found via an Amazon S3 bucket. The dataset wasn’t protected in any way, shape, or form, meaning anyone could access people’s sensitive information including their passwords.
UpGuard say that the passwords are most likely for the At the Pool app rather than the user’s Facebook account, but it would still put users at risk if they use the same password across many accounts.
While the At the Pool dataset isn’t as large as Cultura Colectiva’s, it still contains plain text Facebook passwords for over 22,000 users. At the Pool was an ‘anti-Facebook’ social network and has been defunct since 2014.
UpGuard say they reached out to Cultura Colectiva back in January and, as of posting, have still received no response.
They also reached out to Amazon Web Services, as the data was hosted on Amazon’s S3 cloud storage, and despite receiving several responses assuring them that it would be taken care of, the database wasn’t secured until the morning of April 3rd, 2019.
On the other hand, the At the Pool leak was taken offline while UpGuard were investigating the origin and before they could send an official email. While UpGuard are unsure as to why this happened, they can confirm that the application is no longer active.
The lesson here is to be mindful of your data and how it’s used. While nobody could have predicted that their data would be stored in plain text and displayed for everyone to see, it’s still a good idea to be careful of what you put on the internet and make sure to use different passwords for every service.