540M Facebook member records exposed by an unsecure AWS S3 bucket

Upguard is reporting it found more than 540 million records
from two Facebook app providers on two unprotected Amazon S3 buckets.

The exposed information is from the Mexican media firm Cultura Colectiva and a now defunct Facebook-integrated app called “At the Pool.”

The Cultura Colectiva dataset contained 146GB of data with
540 million records showing comments, likes, reactions, account names, Facebook
IDs and more, Upguard
wrote. The At the Pool server had a database backup containing 22,000 records
listing fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies,
fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests and
password, although Upguard believes the password is for the app, not the person
Facebook password.

The At the Pool app ceased operating in 2014.

“Each of the data sets was stored in its own Amazon S3
bucket configured to allow public download of files,” Upguard wrote, adding
that while the two sets contained somewhat different pieces of information they
both contain data about Facebook users, describing their interests,
relationships, and interactions that were available to third party developers.

Upguard said it notified Cultura Colectiva on January 10 and
14 and did not receive a response. With the data still visible on February 1
the security firm then notified Amazon Web Services, which immediately
responded that it would contact the owner. However, on February 21 the data was
still visible so Upguard sent another email to AWS. Amazon said it would look
into the situation, but the database was not locked down until April 3.

At the Pool’s server was taken down just as Upguard was deciphering ownership.

“Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data,” a Facebook spokesperson told SC Media.

“These two situations speak to the inherent problem of mass
information collection: the data doesn’t naturally go away, and a derelict
storage location may or may not be given the attention it requires,” Upguard
said.

While this case does not have the same big picture implications as the infamous Cambridge Analytica case where the firm used the private information of 50 million Facebook users without their permission for electoral purposes, it is does serve as another spotlight shining into the darkest corners revealing how Facebook handles data.

“For years, Facebook allowed third-party app developers to
access the Facebook data of anyone who logged in with their Facebook accounts,
including the basic profile information of everyone on each user’s friends
list. Although Facebook has rules about how that data can be used and stored,
there’s little means of Facebook actually enforcing those policies until after
some damage has been done,” Paul Bischoff, privacy advocate at Comparitech.com.

At the Pool’s status of being out of business is an
additional obstacle Facebook, the victims and users need to learn how to avoid.
Rod Simmons, vice president of product strategy at STEALTHbits Technologies,
said end users need to understand the permissions they are granting when
downloading an app and attempt to ensure the developer can be trusted to handle
the data.

Simmons also noted it’s hard to collect a penalty from a
defunct company, but there are other options.

“If you have financial penalties they only mean something
for a company in business. In this situation 22,000 records were lost and the
company is out of business so there is no fine that can be paid by a bankrupt
company. Jail time however is a penalty an executive cannot escape just because
they go out of business,” he said.

Even though Facebook is the poster child for lax data
practices at this moment, said Mukul Kumar, CISO and VP of Cyber Practice at
Cavirin, and other large firms will almost certainly become involved in a
similar situation, he believes there are some prophylactic moves that should be
made.

“Two half-fixes. Facebook and others need to go through their records, and reach out to their various partners to secure any customer data. Given that some of these partners may not have the expertise or may no longer exist, Facebook may need to work directly with the public cloud providers, and if they don’t take the initiative, the government should intervene,” he said.

Facebook needs to make privacy a core and create a senior post that will own the issue along with a strong staff and corporately back it, said Sam Curry, chief security officer at Cybereason.

“Call in independent advisors and observers. Then take 30 days to create and publish a plan in place to fix what’s broken at home and to simultaneously champion and promote privacy to chart a course for the industry.,” Curry added.

Comments are closed.