Unprotected AWS S3 buckets caused exposure of 540M Facebook records

Unprotected Amazon servers lead to a huge data breach involving 540 million Facebook records

Unprotected Amazon servers caused data leakage of Facebook users which included passwords in plain text

Facebook has been under the pressure over privacy issues since last year. Unfortunately, it does not look like it's getting out of it in the nearest future. According to the latest reports by UpGuard security researchers, due to unprotected Amazon S3 buckets, Facebook is dealing with yet another massive data breach involving millions of its users.^[1]

While this time Facebook details were not exposed by Facebook itself, its third-party media company Cultura Colectiva^[2] was found to store sensitive data of around 540 million Facebook users on an unprotected Amazon server.^[3] The private information includes users' passwords in plain text, user IDs, names of the accounts, relationship details, etc. The data was stored in a 146 GB database named “cc-datalake”.

Concerns have also been made about a separate app “At the Pool”, which exposed data of 22,000 users, including their names, emails, groups joined, friends accepted, and passwords in plain text ^[4]

The data leakage was stopped after Bloomberg contacted Facebook

Even though the data exposure has already been stopped,^[5] security experts from Upguard claim that they spotted rogue signs of information leakage in the past and notified Cultura Colectiva by email on January 10th this year. As long as no response was received, the cybersecurity company sent another email four days after the first one. However, Cultura Colectiva still did not show any signs of communication.

Additionally, UpGuard contacted the Amazon Web Services about their unprotected server which was causing the data leakage, however, this also took some time of writing letters as Amazon also did not manage to react and take actions quickly. This worldwide data exposure finally came out to light only when Bloomberg contacted Facebook and then the exposure was prevented.

A separate third-party application was also exposing users' passwords in plain text

As we have already mentioned, there was another application which contained exposed data such as user names, emails, groups joined, friends accepted, and passwords in plain text. It is known as “At the Pool”. This separate data leakage included around 22,000 people.^[4] However, some researchers speculate that the passwords that were found in the “At the Pool” database were truly for accessing the application itself and not used only for Facebook accounts:

The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts.

Once information about the beforementioned data breach was spread worldwide and when everybody noticed that one set of leaked bata belonged to “At the Pool”, this application can no longer be activated. Users who will try to access the parent company's web page are likely to receive the 404 error window.

Sadly, this is not the only unexpected activity that has involved Facebook into the debate regarding privacy and data protection. The network itself was recently discovered storing users' passwords in plain text since the year of 2012. Gladly, the issue was eliminated and it is believed that no personal information has been misused by potential actors as it was visible only for the Facebook staff.