Cybersecurity firm UpGuard researched and found millions of Facebook user records in Amazon’s cloud servers. All available for public viewing.
The records allegedly stored by Facebook partners contained data were mostly non-sensitive.
Unlike the 2017 Equifax breach, financial details and Social Security numbers were left out. In the wrong hands, the information could be used for identity theft.
Still, UpGuard’s findings reveal how Facebook partners collect massive amounts of data with their own apps. And they may have insufficiently secured the information.
For the last two years, the negative publicity on how Facebook partners collect, share, and secure data has skyrocketed.
Facebook stock dropped about one percent after the report and ended the day slightly negative. Amazon was up about 0.4 percent on Wednesday’s closing.
UpGuard blogged that it found data on Amazon’s S3 service containing over 540 million Facebook user records, equivalent to 145 GB in storage.
The information included comments, reactions, likes, FB IDs and account names uploaded by media company Cultura Colectiva.
UpGuard also found data through a backup for a Facebook-linked app called “At the Pool.” It included passwords for that app, among other details. This database had passwords for 22,000 users only. And it ceased operations in 2014.
Stored in unsecured portions of Amazon’s cloud, the Facebook user records were an easy catch for outsiders if they knew where to look.
“[AWS] S3 buckets usually have a name,” UpGuard’s vice president of product Greg Pollock told CNBC.
“In this case, the names were Yeti DB and the other one was CC Data Lake. If you guessed those names and have access to a browser, that’s how easy it is.”
Facebook only started to investigate after a Bloomberg reporter reached out on UpGuard’s findings.
“Storing information you get from Facebook on insecure locations is specifically prohibited by our policies,” Facebook told CNBC.
Amazon said that customers can override AWS security, such as the app makers in this case.
AWS customers own and fully control their data. When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here. While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content. As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended.
UpGuard notified Cultura Colectiva via email on January 10th, 2019. It followed up on January 14. It has yet to receive a response.
UpGuard sells products for companies to prevent and detect data exposures.