Facebook user data for millions found exposed on the internet by third-party apps

“The data genie cannot be put back in the bottle,” a cybersecurity firm said in a report detailing how it found the Facebook user data.
Facebook CEO Mark Zuckerberg speaks at Facebook Inc's annual F8 developers conference in San Jose
Facebook CEO Mark Zuckerberg speaks at Facebook Inc's annual F8 developers conference in San Jose, California, on May 1, 2018.Stephen Lam / Reuters file

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By David Ingram

A cybersecurity firm said Wednesday that it found millions of records openly exposed on the internet containing people’s personal data from Facebook, including passwords for 22,000 people.

UpGuard said in a report on its website that app developers had collected the data by building off the Facebook platform, a method similar to the one used years ago by app developers in the Cambridge Analytica scandal to build detailed datasets about millions of Facebook users.

The latest leaked datasets, including people’s likes and interests, was publicly accessible on Amazon-owned servers until after UpGuard found the files and began investigating during the past few months, the company said.

UpGuard said the examples showed how easily app developers have been able to gather information on Facebook users, and how difficult it is for anyone to contain that data once it’s been collected.

Byers Market Newsletter

Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.

“The data genie cannot be put back in the bottle,” UpGuard said in its report. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

Facebook has cracked down on the access to data that third-party app developers previously had. In 2015, the company restricted access to data about users’ friends, and Facebook imposed new restrictions last year, after users, lawmakers and privacy advocates raised an outcry over the data held by Cambridge Analytica.

Facebook said in a statement Wednesday that its policies prohibit storing Facebook information in a public database.

“Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data,” the company said.

UpGuard said it found two instances of Facebook data exposed online. One dataset belonged to Mexico-based media company Cultura Colectiva and contained more than 540 million records detailing information such as Facebook comments, likes and reactions.

Cultura Colectiva said on Wednesday that the information it gathers from Facebook is public, not sensitive, and is used to help build its audience. Users' privacy and security were not at risk, the company said.

"We are aware of the potential uses of data in current times, so we have reinforced our security measures to protect the data and privacy of our Facebook fanpages’ users," the company said in a statement.

The second dataset related to an app called “At the Pool.” It was smaller but contained Facebook unencrypted passwords for 22,000 users, as well as email addresses and other information, UpGuard said. The app ceased operation in 2014, according to the report.

Last month, Facebook said it had found a separate example of passwords stored unsecurely. The company said an internal security review discovered the passwords of hundreds of millions of users had been stored on company servers without encryption, though no passwords were leaked and the company found no indication the data was improperly accessed.