Two Leaky Databases Left over 540 Million Facebook User Records Publicly Accessible

540 Million Facebook User Records Exposed

For a while now, Facebook has been making headlines for all the wrong reasons. Last month, security reporter Brian Krebs revealed that the passwords of hundreds of millions of people had been stored in plaintext in Facebook's internal systems. The criticism hadn't died down yet when users complained that social media is asking them for their email passwords.

These two completely separate incidents happened just two weeks apart and are the latest in a rather long line of events which suggest that "Facebook" and "privacy" are two incompatible notions. This sort of news is fresh ammo for the social media's opponents who reckon that Facebook is the root of all evil, and not surprisingly, Mark Zuckerberg is trying to defend his multi-billion-dollar empire.

Time and again, he has vowed that Facebook will update its policy and change its data handling mechanisms to ensure that the privacy of more than 2 billion users is better protected. Whether or not you're willing to believe him is for you to decide, but even if he does all the things he has promised to do, mistakes made years ago could still lead to data exposure.

More than half a billion Facebook user records left in public Amazon S3 buckets

In January, cybersecurity researchers from UpGuard stumbled upon a couple of Amazon S3 buckets that were publicly accessible from anywhere in the world and, upon closer inspection, turned out to contain quite a few Facebook user records.

The first bucket belonged to the developer of "At the Pool" – a now-defunct social media-type application that was integrated with Facebook. The dataset contained information about 22 thousand users which, in the grand scheme of things, isn't that much. Although it was small and relatively old (it would appear that the app was taken down about five years ago), the database contained plaintext passwords which goes against all common sense when it comes to secure passwords storage.

It must be said that although all affected individuals were Facebook users, the exposed passwords were for their At the Pool accounts rather than their Facebook profiles. This, as UpGuard pointed out, however, is little consolation for the people who use and reuse the same old passwords. In addition to the passwords, the bucket had columns titled fb_user_id, fb_friends, fb_likes, fb_photos, etc.

The second S3 bucket UpGuard stumbled upon was much larger. It came in at 146 gigabytes, and it contained a total of 540 million records. Apparently, the exposed data included everything from account names and Facebook IDs to comments, likes, and reactions. After some investigation, UpGuard figured out that the data was collected by a Mexico-based marketing company by the name of Cultura Colectiva.

To recap, we've got details of Facebook users that are accessible to anyone. Some of them were exposed by a now-defunct software developer, and some of them were put out by a Mexican marketing business. All the data was hosted on hardware owned by Amazon. You should be able to see the problem by now.

Newsflash: If you've shared your data with Facebook, you've probably shared it with third parties

The media outcry is nowhere near as loud, but we are basically talking about the same things we talked about a year ago when the Cambridge Analytica scandal broke out. For years, Facebook has been happily sharing users' information with third-party developers and service providers, and it has done absolutely nothing to ensure that the said developers and providers will actively protect users' privacy.

In theory, the user should have some control over their data. When you're allowing a third party to view and access your information, you are shown exactly what type of details it will see. In reality, however, it doesn't work. People just don't read through the permissions carefully, and even if they did, the problem of whether the third party stores the information properly remains. There is the rather radical option of banning third parties from accessing profile data altogether, but that would completely change the landscape and would force Facebook to look for alternative means of making money.

Even this, rather implausible scenario, solves the issue only for new users. The ones that have been on the platform for several years have probably already had their data accessed by third parties, and they can only hope that it will not be exposed in a public Amazon S3 bucket or indeed in any other way. As UpGuard put it, the genie is already out of the bottle.

We realize that we're painting a pretty apocalyptic picture, but the truth is, the way Facebook has worked for the past few years has made the whole privacy issue much worse than it should have been. What is rather surprising is that the people responsible don't seem to be terribly bothered.

Horrific reaction times from the organizations handling people's data

When they found the two buckets, UpGuard's researchers thought that securing the data stored by At the Pool would be incredibly difficult. The app is well and truly dead, and all evidence points to the fact that the developer has closed up shop. Despite this, someone took the S3 bucket down before UpGuard had the time to notify Amazon about it. It is still unknown whether the bucket's owner realized that they were exposing people's data or whether the hosting subscription expired.

Given that Cultura Colectiva is still a functioning entity, UpGuard hoped that getting its bucket offline would be easy. Sadly, it wasn't to be. The researchers sent out their first email on January 10. Four days later, they tried to notify the Mexican marketing company again, but they didn't hear back. Seeing that this is going nowhere, UpGuard turned to Amazon, telling Jeff Bezos' people that their hardware was exposing some data that shouldn't be exposed. Instead of taking the data down, however, Amazon said that they had informed the owner of the bucket. Three weeks later, the bucket was still up, and UpGuard decided to ask Amazon what's going on. They were promised that further investigation would take place, but for the next almost six weeks, the data remained online.

Finally, when UpGuard's researchers were preparing to break the news, they spoke to Bloomberg who, in turn, asked Facebook for comment. The social network announced that putting likes, comments, reactions, and IDs in a publicly accessible S3 bucket is against the terms of service and asked Amazon to take the bucket down. The world's largest cloud storage provider was much more responsive to Facebook's request, and on April 3, exactly 82 days after the UpGuard's first email, the data was finally taken down.

The fact that Amazon is willing to act only when there's a big social media conglomerate on the other end of the line is hardly a good look. Facebook's reaction is also less than perfect. The social network failed to say, for example, what it plans to do to ensure that similar incidents don't happen in the future.

That being said, the people running Cultura Colectiva should definitely take the lion's share of the blame not only because they left the data in an open bucket, but because they also failed to respond to emails from UpGuard and Amazon for close to three months.

Ask them, however, and they'll probably tell you that they've done nothing wrong. Shortly after the bucket was taken down, they used Cultura Colectiva's social media pages to issue a statement which is only available in Spanish (a rather strange move given that the company has an English version of its official website). Cultura Colectiva says that all the data it collects from Facebook is visible from the users' profiles. This, you have to agree, doesn't mean that it should be organized and put in a publicly accessible AWS S3 bucket.

April 5, 2019

Leave a Reply