Another Facebook Data Breach confirmed today (4th April 2019) - 540 million Facebook user data points leaked by third parties
Over 540 million Facebook user data records were compromised after third-party apps and sites stored the data on unsecured servers. The huge breach comes after numerous promises by Facebook to boost security, and it may prove to be one of the most dangerous yet. Find out why.
Two third-party Facebook app developers – Mexico-based Cultura Colectiva and an app called At The Pool – stored a total of about 540 million Facebook user data entries on unsecured Amazon Web Services (AWS) servers.
The data stored by Cultura Colectiva included more than 540 million “comments, likes, reactions, account names, FB IDs and more” from Facebook users. This data may seem innocuous, but a hacker or scammer could use it to defraud thousands of users.
Far less data was stored by At The Pool, but their data may have been more dangerous. In addition to their names, email addresses, and other Facebook data, the data included 22,000 plaintext passwords. The researchers assume that these passwords were used for the app, not Facebook. However, anyone using the same password for their other accounts would be at high risk.
At The Pool’s website has apparently been defunct since 2014. It is therefore likely that the data has been left unsecured at least since then.
The cherry on top: UpGuard, the cybersecurity firm that found and reported the breach, said that even closing the breach was an ordeal. One would hope that companies would respond quickly to protect their users’ data, but this was not the case. Here’s a timeline:
“Our first notification email went out to Cultura Colectiva on January 10th, 2019. The second email to them went out on January 14th. To this day there has been no response.”
“We then notified Amazon Web Services of the situation on January 28th. AWS sent a response on February 1st informing us that the bucket’s owner was made aware of the exposure.”
“When February 21st rolled around and the data was still not secured, we again sent an email to Amazon Web Services.”
“It was not until the morning of April 3rd, 2019, after Facebook was contacted by Bloomberg for comment, that the database backup […] was finally secured.”
It took almost 3 months for Cultura Colectiva to secure its users’ data. At The Pool’s data was secured much more quickly, but this may have simply been a stroke of good fortune. Their data set was taken offline during UpGuard’s investigation and before they sent any notification emails. However, the data had already been left unsecured for about 5 years.