540 million Facebook records exposed by app developers on insecure AWS server

More chickens come home to roost at Facebook

The records of some 540 million Facebook users - about one-quarter of the total - have been found on two insecured AWS servers.

The records were acquired by two third-party app developers from Facebook and found by researchers at security firm UpGuard.

The majority of the records come from Mexican media company Cultura Volectiva, which had a 146GB dataset containing more than 540 million records, including information such as account names, IDs and Facebook activity.

The second dataset belongs to now-defunct app 'At The Pool' and, while it contains just 22,000 records, this included sensitive data including users' passwords stored in plaintext.

"The passwords are presumably for the 'At the Pool' app rather than for the user's Facebook account but would put at risk users who have re-used the same password across accounts," UpGuard warned.

It's not clear how long the data sat on the leaky AWS servers, but UpGuard claims that despite contacting both Cultura Colectiva and Amazon about the leak, the server was not taken down.

It was only after UpGuard notified a Bloomberg reporter of the issue, who in turn contacted Facebook, that the server was finally taken down.

"Data about Facebook users has been spread far beyond the bounds of what Facebook can control today," UpGuard said. "Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak."

In response to the report, Facebook said its policies "prohibit storing Facebook information in a public database".

"Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data," the Facebook spokesperson added.

News of this privacy lapse comes just a day after it was revealed, courtesy of the Daily Beast, that Facebook is demanding that new sign-ups hand over the passwords for their personal email accounts in order to join to the social network.

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast