Facebook User Info Exposed in Misconfigured Public Cloud Storage

Researchers from UpGuard have discovered two separate un-secured cloud storage buckets holding Facebook user information, once again putting the social network's users at risk.

Facebook privacy

Once again, Facebook users are being warned about a data leak that could potentially expose them to risk, as over 540 million data records from the social network have been found publicly exposed in the cloud. The impact of the data disclosure is however being debated by one of the vendors that has been implicated in the data leak.

The disclosure was made on April 3 by security firm UpGuard Cyber Risk, which has a history of discovering and disclosing data found in un-secured public cloud storage repositories. In the new Facebook disclosure, UpGuard found two separate cloud storage data buckets, from different third party vendors that work with Facebook.

"One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more," UpGuard wrote in its advisory. "A separate backup from a Facebook-integrated app titled “At the Pool” was also found exposed to the public internet via an Amazon S3 bucket."


The data from the "At the Pool" app is perhaps more sensitive for Facebook users as it also included over 22,000 plaintext passwords. According to UpGuard's analysis, the passwords were for the "At the Pool" app and not the users Facebook accounts.

In a statement sent to media outlets, Cultura Collective argued that the data that was exposed, was already publicly accessible.

"All the publicly available data provided to us by Facebook, gathered from the fanpages we manage as publisher, is public, not sensitive, and available to all users who have access to Facebook," Cultura Collective stated. "However, neither sensitive nor private data like emails or passwords were amongst those because we do not have access to that kind of data, so we did not put our users' privacy and security at risk."

For its' part, UpGuard argued that Cultura Collective is still at fault for the way it handled user information.

"It's one thing for an FB user to be excited enough to follow a fan page, knowing they're sharing that excitement with their friends," UpGuard wrote in a Twitter message. " It's quite another thing for millions of those records to be aggregated, stored and left exposed on the Internet in a gigantic database."

How The Data Was Discovered

UpGuard is no stranger to discovering information that has been left open in the public cloud. Among the disclosures that UpGuard has made about data found in cloud storage buckets are leaks involving Accenture, Verizon, the Department of Defense, and a massive leak that involved 123 million American household from data analytics firm Alteryx. In every case, the root cause was functionally the same, the organization in question or one of its partners, inadvertently left an Amazon S3 storage bucket in a misconfigured state that enabled public access. With the new Facebook disclosure, the root cause is exactly the same.

With an Amazon S3 storage bucket there are multiple configuration settings to allow or restrict different types of access. Amazon provides multiple capabilities to help users correctly configure access including policies within S3, configuration directives with the AWS Config service, as well as the Amazon Macie service which is able to help organizations find personally identifiable information within their S3 buckets.

Since 2017, UpGuard has also sold a commercial Risk Detection Service that helps organizations to identify if they have left data exposed in the cloud.

"You've seen all the data breaches that our firm has reported, and all that stuff is really about poor configurations and people not having a good handle on what they've got externally," Mike Baukes, co-founder and co-CEO of UpGuard, told eWEEK when the service launched in 2017.

Facebook's Responsibility

While the data identified by UpGuard is from Facebook users, the leak came from third party app developers, who are the ones that are now responsible for security according to UpGuard.

"In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security," UpGuard stated in its advisory. "The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform."

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.