sb-nz logo
Story image

Millions of Facebook user records exposed in latest data leak

04 Apr 2019

In the latest major blow to Facebook’s reputation, cybersecurity company UpGuard has today revealed that two third-party-developed Facebook app datasets were found exposed to the public on the Internet.

On a blog post on its website, the UpGuard Cyber Risk team said the first lead was from Mexico-based media company Cultura Colectiva.

The 146GB file contained over 540 million records detailing comments, likes, reactions, account names, Facebook IDs, and more, not unlike the data provided in the Cambridge Analytica scandal a year ago.

The blog post also details a separate backup from a Facebook-integrated app titled “At the Pool” exposed to the public internet via an Amazon S3 bucket.

The data covered large swathes of users’ Facebook activity, including likes, friends, interests, check-ins, and their passwords for the app in question.

UpGuard reported that each of the data sets was stored in its own Amazon S3 bucket configured to allow public download of files.

Both sets of data were available to third-party developers.

“As Facebook faces scrutiny over its data stewardship practices, they have made effort to reduce third-party access. But as these exposures show, the data genie cannot be put back into the bottle,” the statement says.

“Data about Facebook users has been spread far beyond the bounds of what Facebook users can control today.”

UpGuard said it contacted Cultura Colectiva about the data leak twice in January but has yet to receive a response.

AWS was then notified of the leak in January and responded three days later saying that the owner of the data had been notified, but the data remained publicly available.

The data was finally secured in April after Bloomberg contacted Facebook for comment.

The data from the second leak via the At the Pool app was taken offline during the time UpGuard was conducting its investigation.

The app in question has been offline since 2014 and the company’s website returns a 404 error notice.

“These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires,” UpGuard said in its statement.

“For Cultura Colectiva, data on responses to each post allows them to tune an algorithm for predicting which future content will generate the most traffic.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” UpGuard said.

“In each case, the Facebook platform facilitated the collection of data about individuals and its transfers to third parties, who because responsible for its security.”

Facebook most recently came under fire for its lack of response to the Christchurch mosque shootings, when the shooter used Facebook's Live feature to broadcast his massacre in real time.

Although Facebook worked to remove as many copies of the video as possible after it was notified, the social media giant came under fire for violating New Zealand’s privacy laws.

“Your silence is an insult to our grief,” said New Zealand privacy commissioner John Edwards in a missive to Facebook executives for their lack of engagement and accountability for their part in the incident.

Story image
Why greater network visibility is needed to reduce the threat posed by IoT in the enterprise
At home and abroad, organisations have joined the rush to embrace Internet of Things (IoT) technology, but a new survey shows they’re only just beginning to wake up to the enormous risk those devices pose, writes ExtraHop A/NZ Regional Sales Manager Glen Maloney.More
Story image
Three-in-one cloud security can ease business through difficult times
By leveraging a comprehensive security platform, organisations can block threats and prevent leakage for all interaction between endpoints, devices and apps, writes Bitglass product marketing manager Juan Lugo. More
Story image
DDoS attacks spike thanks to COVID-19 lockdowns, Kaspersky finds
Kaspersky experts believe the rise in malicious activity can be attributed to the impact of COVID-19, as both cybercriminals and their targets have had to reconsider their holiday plans. More
Story image
Businesses underutilising cloud security due to lack of education and training
Demand is high for cloud security access brokers (CASB), but more training and clear goals are needed to ensure companies get full effectiveness of products.More
Story image
Huawei introduces all-flash OceanStor Dorado arrays
All-flash offers stability and high-performance storage with extremely low levels of latency – and it can offer reliability in the event of a disaster.More
Story image
Slack unveils new security features as remote working skyrockets
Slack has introduced new security features, integrations and certifications to its platform in response to growing security concerns as more people work remotely.More