540 Million Facebook Profiles Exposed by 2 Insecure Databases

540 Million Facebook Profiles Exposed by 2 Insecure Databases

It can be hard to keep all the Facebook security and privacy breaches straight — there was just one earlier today, in fact. There’s already another leak of personal Facebook data, but this one didn’t come directly from Facebook. Researchers from cybersecurity firm UpGuard report that two unsecured databases exposed the data from more than 540 million Facebook users.

According to UpGuard, the larger of the two databases belongs to a Mexican media company called Cultura Colectiva. It contains 146GB of user data including comments, likes, reactions, names, Facebook user IDs, and more. The other database comes from a now-defunct Facebook app called “At the pool.” This one had 22,000 passwords stored in plain text associated with user accounts. These were the passwords to At the Pool rather than Facebook, but it’s likely many of those users chose the same password they used on Facebook.

Both databases were in wide-open Amazon S3 buckets that virtually anyone could access. UpGuard may not have been the first to find them for all we know. UpGuard notified Cultura Colectiva several times, but it failed to even acknowledge messages from UpGuard itself and Amazon. The data from those 540 million accounts remained available from early this year until just a few days ago when Facebook intervened with Amazon and had the database secured. Meanwhile, the At the Pool database went offline while UpGuard was still investigating, possible because of a hosting lapse — the app shut down in 2014.

The insecure Cultura Colectiva database in all its glory.
The insecure Cultura Colectiva database in all its glory.

As far as UpGuard can tell, these databases collected all their data in accordance with Facebook’s platform rules. You’d expect the apps you use on Facebook to get some of your data, but they’re supposed to keep it secure. That’s one of Facebook’s rules, but it’s essentially impossible to enforce. Once someone has your data, they have it forever. That’s something we learned the hard way from the Cambridge Analytica scandal. That data was collected on Facebook without any workarounds or hacking, but then it was sold off.

Facebook has tightened data access on its platform in response to Cambridge Analytica. While the social network didn’t do anything to expose this data, it’s still part of the problem. Facebook facilitates the collection of all this data, and it can’t protect you once the data leaves Facebook’s platform.

Continue reading

FTC Files Antitrust Case to Break Up Facebook
FTC Files Antitrust Case to Break Up Facebook

New York Attorney General Letitia James has announced a major antitrust case against Facebook, which will be joined by 47 other state and regional AGs. And that's not all: the Federal Trade Commission (FTC) is filing a separate case against Facebook later today.

Signal, Facebook Spar Over Ads Disclosing What Facebook Knows About You
Signal, Facebook Spar Over Ads Disclosing What Facebook Knows About You

Signal claims Facebook banned it for speaking truth to millions of people. Facebook claims Signal made the whole thing up. Welcome to the internet, where the validity of everything is disputed and everyone is mad about it.

Facebook Announces a New Oculus VR Feature: In-Game Ads
Facebook Announces a New Oculus VR Feature: In-Game Ads

Facebook will soon build ads into your VR games. The company claims the advertising will benefit developers, but it appears to have something else in mind.

Facebook Force-Fed Garbage to 140 Million Americans a Month
Facebook Force-Fed Garbage to 140 Million Americans a Month

Facebook refused and ignored its own staff's attempts to improve the service, even after it knew its own algorithms were feeding people low-quality content they didn't want to see.