From user names to plaintext passwords, two widely exposed datasets are leaking Facebook data, according to experts.
Millions of Facebook records, such as account names and plaintext passwords, have been discovered in two distinct publicly-exposed app datasets.
Cultura Colectiva is a Mexico-based media company from where the first publicly-exposed dataset emerges. It contains more than 540 million records including comments, likes, reactions, account names and more. A Facebook-integrated app titled At the Pool, which is the second publicly-exposed backup, uncovered plaintext Facebook passwords for 22,000 users and other data. According to researchers, both databases have been secured.
The scope of publicly-exposed datasets bear similarity to that of an event with Facebook and Cambridge Analytica, which occurred March 2018. However, in that case, data was reaped by app developers, in contrast to being inadvertently exposed.
Upguard researchers who exposed the datasets said that these two situations speak to the intrinsic problem of mass information gathering, adding that the data doesn’t naturally go away, and a rundown storage location may or may not be given the attention it deserves.
Facebook was not available for comment from Threatpost.
A media company based in Mexico, Cultura Colectiva, gathered data on responses to their Facebook posts, allowing them to tune a process for forecasting which future content will produce the most traffic. The company contains a monstrous 146 gigabytes of data detailing comments, likes, reactions, account names, FB IDs and more.
Meanwhile, at the Pool, which began in 2011, is an app that was incorporated into Facebook’s platform that served as a way of introducing users to possible new friends.
In the case of the uncovered At the Pool database backup, researchers found that plaintext Facebook passwords for 22,000 users were uncovered on public internet via an Amazon S3 bucket.
Researchers said that although the passwords are seemingly for the ‘At the Pool’ app rather than for the user’s Facebook account, they would land users in trouble who have reused the same password across accounts.
Researchers went on to suggest that while the “At the Pool” webpage halted operation in 2014, it has nothing satisfying about the app’s end users whose names, passwords, email addresses, Facebook IDs, and other details were openly exposed for an unknown period of time.
Facebook was notified about the Cultura Colectiva data by reserachers on Jan. 10, and again on Jan. 14. But Facebook didn’t respond. Owing to the data being stored in Amazon’s S3 cloud storage, researchers then informed Amazon Web Services of the situation on Jan. 28, which recognized the incident but also took no action.
Researchers said that the database backup was finally secured after Bloomberg contacted Facebook for comment on April 3rd, 2019. In the meantime, the data stemming from “At the Pool” had been taken offline just as researchers were looking into the data origin, and before they sent a formal notification email to Facebook, researchers said.