UpGuard security firm researchers have discovered an unpleasant surprise: millions of Facebook user records were found exposed publicly on an Amazon S3 storage server without a password to protect the data.
Two third-party companies – a Mexico based media company called Cultura Colectiva and an app developer At The Pool – had left user records available for public access. User record data such as comments, likes, reactions, and account names were all stored onto the servers. At The Pool stored sensitive information from approximately 22,000 users and included data such as photos, check-ins, and friends lists.
UpGuard had not received a reply from Cultura Colectiva after warning them about the public server data back in January. After reaching out to Amazon as well, the security firm was yet again met with indifference as no one had taken action to resolve the issue. After Bloomberg’s reporting on April 3rd, the database was then secured.
A Facebook representative commented on the matter, explaining how “Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases.” Spokespeople from the company also commented on how Facebook was not aware of the issue until the UpGuard team had brought it to their attention.
Both third-party companies had collected and stored the data in the past when Facebook was more lenient on data gathered by outside applications. However, after the Cambridge Analytica scandal, Facebook set tighter restrictions on what developers may access in regards to user data.
As of now, it is unclear on whether the data on the open storage servers were accessed by malicious actors who could potentially use it to their advantage in marketing or fraudulent schemes.