27 September 2023

A cirrus leak: How Facebook leaked user data into the cloud

Start the conversation

Colin Lecher* says researchers have discovered that Facebook app developers leaked millions of user records on cloud servers.


Photo: icon0.com

Facebook app developers left hundreds of millions of user records exposed on publicly visible cloud servers, researchers from security firm UpGuard said last week.

The researchers said the larger of the two datasets came from a Mexican media company called Cultura Colectiva.

A 146GB dataset with information like Facebook user activity, account names, and IDs was found that included more than 540 million records, the researchers said.

A similar dataset was also found for an app called “At the Pool.”

While smaller, the latter included especially personal information, including 22,000 passwords apparently used for the app, rather than directly for Facebook.

540 million records

It’s not clear how long the data was publicly available, or who may have obtained it from the servers, if anyone.

Both datasets were found on Amazon cloud servers, and the data was removed after Facebook was contacted, the researchers said.

“Facebook’s policies prohibit storing Facebook information in a public database,” a spokesperson for the company said in a statement.

“Once alerted to the issue, we worked with Amazon to take down the databases.”

“We are committed to working with the developers on our platform to protect people’s data.”

Facebook has faced intense criticism over how it’s shared user data with third parties.

Most famously, the political data firm Cambridge Analytica harvested information on users through a seemingly innocuous quiz app.

Facebook has since cut down on the number of apps with access to user data.

In this case, the data appears to have been made available by mistake, but the problem still raises questions about where user information has travelled since it was collected by Facebook apps.

“Data about Facebook users has been spread far beyond the bounds of what Facebook can control today,” the UpGuard researchers, who have highlighted several leaks on Amazon servers in the past, wrote in a blog post announcing the findings.

“Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

* Colin Lecher is a senior reporter at The Verge. He tweets at @colinlecher.

This article first appeared at www.theverge.com.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.