Two third-party services left Facebook user data exposed online — in one case, 540 million records of user comments — highlighting the ease with which third-party developers can access data and the risk of lax security.
A Mexican media company’s unprotected Amazon S3 container exposed more than 540 million records of Facebook users’ comments and interests, while a defunct integrated Facebook app, At the Pool, left online sensitive information of more than 22,000 users, cloud-security firm UpGuard announced on April 3.
The data, found by the company’s storage-scanning service, had explicitly been saved in two separate Amazon Simple Storage Service (S3) buckets, allowing public downloading, according to a blog post. The larger data set, left online by Mexican media firm Cultura Colectiva, consisted of 146GB of comments and whether other users liked or responded to those posts, says Chris Vickery, director of cyber-risk research at UpGuard.
“In this concentrated mass, 540 million records, this is the same type of data that companies like Cambridge Analytica, or anyone else in the marketing [or] psychographic field, can exploit to develop … profiles and really learn how to control a population,” he says. “In the aggregate, it is scary.”
Third-party developers and corporate users of Facebook’s information have become a large security and public-relations problem for the company. In 2018, a Facebook insider revealed that Cambridge Analytica and its parent company, the SCL Group, had collected data on millions of Americans as a prelude to profiling them and targeting advertising to influence the 2016 presidential election. Soon after, the company revealed that most of its users likely had had their profiles scraped by third-party developers. Multiple lawsuits have since been filed against Facebook.
Yet the leaks have not stopped. In December, an issue with Facebook’s photo API may have given third-party developers access to the photos of 6.8 million users. In June, …
Author: Robert Lemos