Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Facebook User Info Exposed in Misconfigured Public Cloud Storage

    By
    Sean Michael Kerner
    -
    April 4, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Facebook privacy

      Once again, Facebook users are being warned about a data leak that could potentially expose them to risk, as over 540 million data records from the social network have been found publicly exposed in the cloud. The impact of the data disclosure is however being debated by one of the vendors that has been implicated in the data leak.

      The disclosure was made on April 3 by security firm UpGuard Cyber Risk, which has a history of discovering and disclosing data found in un-secured public cloud storage repositories. In the new Facebook disclosure, UpGuard found two separate cloud storage data buckets, from different third party vendors that work with Facebook.

      “One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more,” UpGuard wrote in its advisory. “A separate backup from a Facebook-integrated app titled “At the Pool” was also found exposed to the public internet via an Amazon S3 bucket.”

       

      The data from the “At the Pool” app is perhaps more sensitive for Facebook users as it also included over 22,000 plaintext passwords. According to UpGuard’s analysis, the passwords were for the “At the Pool” app and not the users Facebook accounts.

      In a statement sent to media outlets, Cultura Collective argued that the data that was exposed, was already publicly accessible.

      “All the publicly available data provided to us by Facebook, gathered from the fanpages we manage as publisher, is public, not sensitive, and available to all users who have access to Facebook,” Cultura Collective stated. “However, neither sensitive nor private data like emails or passwords were amongst those because we do not have access to that kind of data, so we did not put our users’ privacy and security at risk.”

      For its’ part, UpGuard argued that Cultura Collective is still at fault for the way it handled user information.

      “It’s one thing for an FB user to be excited enough to follow a fan page, knowing they’re sharing that excitement with their friends,” UpGuard wrote in a Twitter message. ” It’s quite another thing for millions of those records to be aggregated, stored and left exposed on the Internet in a gigantic database.”

      How The Data Was Discovered

      UpGuard is no stranger to discovering information that has been left open in the public cloud. Among the disclosures that UpGuard has made about data found in cloud storage buckets are leaks involving Accenture, Verizon, the Department of Defense, and a massive leak that involved 123 million American household from data analytics firm Alteryx. In every case, the root cause was functionally the same, the organization in question or one of its partners, inadvertently left an Amazon S3 storage bucket in a misconfigured state that enabled public access. With the new Facebook disclosure, the root cause is exactly the same.

      With an Amazon S3 storage bucket there are multiple configuration settings to allow or restrict different types of access. Amazon provides multiple capabilities to help users correctly configure access including policies within S3, configuration directives with the AWS Config service, as well as the Amazon Macie service which is able to help organizations find personally identifiable information within their S3 buckets.

      Since 2017, UpGuard has also sold a commercial Risk Detection Service that helps organizations to identify if they have left data exposed in the cloud.

      “You’ve seen all the data breaches that our firm has reported, and all that stuff is really about poor configurations and people not having a good handle on what they’ve got externally,” Mike Baukes, co-founder and co-CEO of UpGuard, told eWEEK when the service launched in 2017.

      Facebook’s Responsibility

      While the data identified by UpGuard is from Facebook users, the leak came from third party app developers, who are the ones that are now responsible for security according to UpGuard.

      “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security,” UpGuard stated in its advisory. “The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×