Researchers at the cybersecurity firm UpGuard on Wednesday said they had discovered the existence of two datasets together containing the personal data of hundreds of millions of Facebook users. Both were left publicly accessible.
In a blog post, UpGuard connected one of the leaky databases to a Mexico-based media company called Cultura Colectiva. The data set reportedly contains over 146 GB of data, which amounts to over 540 million Facebook user records, including comments, likes, reactions, account names, Facebook user IDs, and more.
A second leak, UpGuard said, was connected to a Facebook-integrated app called “At the pool” and had exposed roughly 22,000 passwords. “The passwords are presumably for the ‘At the Pool’ app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts,” the firm said. The database also contained data on users’ friends, likes, groups, and locations where they had checked in, said UpGuard.
Both datasets were stored in unsecured Amazon S3 buckets and could be accessed by virtually anyone. Neither was password protected. The buckets have since been secured or taken offline.
“The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each,” UpGuard said. “What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers.”
Added Upguard: “As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”
Facebook did not immediately respond to Gizmodo’s request for comment.
This is a developing story. Check back for updates.
Update, 2:30pm: Facebook gave the following statement:
“Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
Update, 3:40pm: Added text clarifying that the 22,000 passwords discovered by UpGuard belong to Facebook users, but may not grant access to actual Facebook accounts. UpGuard reported that, “presumably,” the passwords would grant access to the now-defunct app, though the researchers warned it “put users at risk who have reused the same password across accounts.”