LocalBlox left a 1.2TB database file in an unprotected S3 bucket
Cybersecurity experts released a report on Wednesday stating that a personal and business data search service LocalBlox has scraped the data of 48 million Facebook, Twitter, LinkedIn and other social network users. The mentioned firm was created in 2010 and since then focused on building profiles from publicly exposed information.
The data collected was then left in Amazon S3 cloud storage bucket which was not password protected. This allowed anyone access and download this information, which included names, physical addresses, dates of birth, job histories and similar.
The size of the exposed file “lbdumps” reached 1.2TB in size and contained 48 million virtual profiles, which allowed to create a detailed three-dimensional image of every individual.
Chris Vickery, a security specialist from security team UpGuard, later discovered the S3 bucket. He informed chief technology officer Ashfaq Rahman of LocalBlox about the incident in late February 2018. The bucket was secured a few hours later.
LocalBlox is not taking any responsibility for the exposed data
The virtual profile is created linking an IP address to multiple profiles on social networks. The data is then sorted and compiled together. It gave LocalBlox a brighter image of the targeted person’s behavior and background. Thus, information harvested this way may be widely used for political campaigning or advertising purposes.
LocalBlox has been practicing data gathering procedures for a while now, claiming to have 650 million records in the ID database and 180 million records in its mobile phone database.
Ashfaq Rahman was confident that the database was “hacked” by Vickery and that no other person had access to the large database file. Nevertheless, he failed to explain why did he restrict access to the bucket a few hours later after the exposure.
Additionally, Rahman claimed that “most” of the collected data was fake and only used for internal testing purposes. He did not provide the number of “fake” profiles.
The discovery of exposed data raises concerns amongst security experts and regular users
Cambridge Analytica scandal recently hit Facebook. It allowed data analytics company unlawfully gather personal information from 87 million Facebook users. This information was used to potentially influence US elections in 2016.
This resulted in Facebook introducing harsher privacy policies. Additionally, the social network giant is now investigating apps that gather a significant amount of information.
Social media networks and real estate site Zillow, which was also included in data gathering procedure, advised that scraping of information without prior consent is prohibited.
However, no particular laws preventing analytic companies from gathering already public data, especially in the US. Data scraping companies are not a new phenomenon; nevertheless, this type of information harvesting is becoming even more prominent, as well as controversial.
Chris Vickery was concerned that social media platforms do not take enough of responsibility for what is done to the user information exposed on their websites:
I think these companies need to take a little more responsibility over what's being done with this data, and reflect on the role they're playing in this day and age.