- 540 million Facebook user records were left exposed on public servers by app developers.
- The social network’s lax data policies meant that for years developers could easily harvest users’ sensitive data – and now it’s leaking out.
- Facebook has since tightened up the data the user data accessible to app developers, especially in the wake of the Cambridge Analytica scandal, but at least some damage has already been done.
- “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today,” said UpGuard, the security firm that found the leak.
More than 500 million Facebook user records were left exposed on public servers by app developers.
Researchers at security firm UpGuard found that the user data, which had been harvested from Facebook by third-party app developers, was sitting without any password protection on public Amazon servers it had been uploaded to. That data included sensitive information like users’ friends, likes, music, photos, events, interests, and check-ins. UpGuard’s findings were first reported by Bloomberg.
The vast majority of the records – millions of users’ info – had apparently been uploaded publicly by Cultura Cultiva, a Mexican media company. A second unprotected user data was smaller, at around 22,000 users, and related to a Facebook-integrated app called “At the Pool” which shut down in 2014.
The findings highlight how Facebook’s years of lax oversight over how app developers could access user data has led to a massive proliferation of people’s sensitive information across the internet, often without their knowledge or informed consent. Facebook has since tightened up the data the user data accessible to app developers, especially in the wake of the Cambridge Analytica scandal, but at least some damage has already been done.
“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle,” UpGuard wrote in a blog post about its findings on Wednesday.
“Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often mis-configured for public access, and the result is a long tail of data about Facebook users that continues to leak,” it writes.
In a statement, Facebook spokesperson Katy Dormer told Business Insider: “Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at firstname.lastname@example.org, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.
- Car-bomb fears and stolen prototypes: Inside Facebook’s efforts to protect its 80,000 workers around the globe
- Facebook quietly killed its Building 8 skunkworks unit as it reshuffles its cutting-edge experiments and hardware
- Leaked Andreessen Horowitz data reveals how much Silicon Valley startup execs really get paid, from CEOs to Sales VPs