Mexican firm responsible however refuses to accept 540 million records on Facebook users was sensitive
Facebook has reacted quickly to the discovery of public databases containing data on 540 million of its users on a cloud server.
The 146 gigabytes of data was found by UpGuard’s Cyber Risk team, as it was stored openly on an Amazon S3 bucket, and besides the 540 million records, it also included another database from an app called At the Pool, which listed names, passwords and email addresses of 22,000 people.
UpGuard makes a habit of finding sensitive information stored on Amazon servers. In September 2017 for example it found the CVs of thousands of former US military personnel, including hundreds with ‘Top Secret’ security clearances, were left available on an Amazon S3 cloud storage repository.
Then in November 2017 UpGuard found “critical data” belonging to the US army on virtual image of hard disk left on an AWS server, without password protection.
Indeed that data was deemed so sensitive that it is not even allowed to shared with America’s allies.
But this week UpGuard’s Cyber Risk team revealed in a blog posting that it had found public databases on Facebook users.
The researchers found that Mexico City-based news website Cultura Colectiva had used Amazon servers to openly store 540 million records on Facebook users. T
“The UpGuard Cyber Risk team can now report that two more third-party developed Facebook app datasets have been found exposed to the public internet,” UpGuard blogged.
“One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more,” it wrote. “This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data.”
“A separate backup from a Facebook-integrated app titled “At the Pool” was also found exposed to the public internet via an Amazon S3 bucket,” it added.
UpGuard notified Cultura Colectiva on 10th January this year, and then again in 14th January, with no response.
The security researchers then notified Amazon Web Services of the situation on 28th January, and AWS sent a response on 1 February saying that the bucket’s owner was made aware of the exposure.
But when the researchers checked again on 21 February they discovered the data was still not secured, and an email was to Amazon Web Services.
AWS again responded on that same day stating they would look into further potential ways to handle the situation.
It was not until the morning of 3 April after Facebook was contacted by Bloomberg for comment, that the database backup, inside an AWS S3 storage bucket titled “cc-datalake,” was finally secured.
Facebook at least when it became aware of the issue, reacted quickly to the discovery and worked with Amazon to get those public databases removed.
“Facebook’s policies prohibit storing Facebook information in a public database,” the company was quoted by Reuters as saying.
Facebook is right to be a little sensitive after a number of privacy-related scandals.
Last month for example it admitted that “hundreds of millions” of passwords were stored on its internal server in plaintext, unprotected by any form of encryption whatsoever.
But some in the security industry warn of lack standards around storing sensitive data.
“Too many organisations are using poor hygiene when storing passwords and other sensitive information,” said Stephen Cox, Chief Security Architect at SecureAuth. “Unfortunately in this case, because user account names were also exposed, some of the affected users are likely to be compromised due to password reuse.”
“When people reuse passwords across multiple websites these sort of leaks can have far reaching consequences,” said Cox. “The password is simply no longer enough to provide a sufficient level of security in today’s threat landscape.”
“We need to move beyond the password, to a modern authentication strategy that takes a risk-based approach, analyses user behaviour, and applies real-time threat detection techniques to improve end-user trust,” he added. “The goal should be rendering stolen credentials useless to an attacker – and it is possible today to do so.”
But the Mexican firm behind the data exposure is unrepentant, and it rejected that it had put people’s data at risk.
Cultura Colectiva was quoted by Reuters as saying in a statement that all of its Facebook records came from user interactions with its three pages on Facebook and is the same information publicly accessible to anyone browsing those pages.
“Neither sensitive nor private data, like emails or passwords, were amongst those because we do not have access to that kind of data, so we did not put our users’ privacy and security at risk,” Cultura Colectiva reportedly said.
“We are aware of the potential uses of data in current times, so we have reinforced our security measures to protect the data and privacy of our Facebook fanpages’ users,” it added.