Facebook application developers left hundreds of millions of user records exposed on publicly viewable cloud servers, researchers at the security firm UpGuard said today.
The researchers said the largest of the two data sets came from a Mexican media company called Cultura Colectiva. A 146 GB data set was found with information such as Facebook user activity, account names and IDs that included more than 540 million records, the researchers said. A similar data set was also found for an application called "At the Pool". Although it was smaller, the latter included especially personal information, including 22,000 passwords that were apparently used for the application, rather than directly to Facebook.
It is unclear how long the information was publicly available, or who may have obtained it from the servers, if any. Both sets of data were found on Amazon's cloud servers and the data was removed after Facebook was contacted, the researchers said.
"Facebook policies prohibit the storage of Facebook information in a public database," a company spokesperson said in a statement. "Once alerted about the problem, we worked with Amazon to eliminate the databases. We are committed to working with developers on our platform to protect people's data. "
Facebook has faced intense criticism about how users' data is shared with third parties.Most famous, political data signing Cambridge Analytica collected information about users through a seemingly innocuous test application, and since then, Facebook has reduced the number of applications with access to user data.
In this case, the data seems to be available by mistake, but the problem still raises questions about where the user's information has traveled since it was collected by Facebook applications.
"Data about Facebook users has extended well beyond what Facebook can control today" , UpGuard researchers reported, who highlighted several leaks in Amazon servers in the blog, in a post of blog that announced the findings. "Combine that fullness of personal data with storage technologies that are often misconfigured for public access, and the result is a long line of data about Facebook users that continue to leak."
Correction, 4:25 PM ET: This article previously incorrectly indicated the type of passwords found in At the Pool data. It is believed that they are for the application, not for Facebook itself.