It’s getting hard to keep up with Facebook’s mishaps. Earlier today, it emerged that the social network was asking for new users’ email passwords when signing up for an account. As if that wasn’t bad enough, a report detailing huge data exposure has emerged.
What happened?
According to security firm UpGuard, app developers exposed users’ data on public servers. In one case, Mexico-based company Cultura Colectiva had stored 540 million records weighing in at 146 gigabytes on Facebook users. This data – which was accessible and downloadable to anyone - included Facebook IDs and account names as well as comments, reactions and account names.
As the UpGuard Cyber Risk team points out: “This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data.”
Another separate backup from a Facebook-integrated app titled “At the Pool” was also found exposed to the public internet via an Amazon S3 bucket.
According to UpGuard, it contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more. “The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts,” Upguard says.
How serious is it?
Some of the information exposed was pretty sensitive. “At the Pool” contained the unencrypted passwords of 22,000 Facebook users. This is despite the fact that at the Pool ceased operation in 2014: the parent company’s website is currently returning a 404 error notice. “This should offer little consolation to the app’s end users whose names, passwords, email addresses, Facebook IDs, and other details were openly exposed for an unknown period of time,” the UpGuard post says.
At the same time, each of the data sets was stored in its own Amazon S3 bucket and allowed anyone to download the files.
“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access,” UpGuard says. “But as these exposures show, the data genie cannot be put back in the bottle.
“Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”
What has been done to stop it?
Bloomberg reported the story first and alerted Facebook to the problem. Thankfully, Facebook has now closed down the database.
But what is even more terrible is the handling of this incident. UpGuard first sent an email to Cultura Colectiva data on January 10 this year followed by another four days later.
The firm also notified Amazon Web Services of the situation on January 28. AWS then responded on February 1 saying the bucket’s owner had been notified. But when by February 21 the data was still not secured, UpGuard emailed the firm again – only to be told AWS would be looking into how to secure the data.
On April 2 – and of course after Facebook was contacted by Bloomberg – the database backup, inside an AWS S3 storage bucket titled “cc-datalake,” was finally secured.
Meanwhile the “At the Pool” data was taken offline before a formal notification email was sent. “It is unknown if this is a coincidence, if there was a hosting period lapse, or if a responsible party became aware of the exposure at that time,” UpGuard says. “Regardless, the application is no longer active and all signs point to its parent company having shut down.”
What to do
Facebook has come under fire in the past for handing data to third parties and it's improved security as a result. But in this case, it was too little, too late. "The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control," the UpGuard post points out. "In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security."
It goes without saying that you need to be careful when using Facebook apps - and perhaps consider whether to use these at all. And it really is time for people to think about closing their Facebook accounts. Many people don’t want to – and that’s understandable when you have built up years of friendships and store your photos on there.
But if you are going to continue to use Facebook, it’s important to be security-aware. Change your password: it’s probably been exposed at some point and you’ll need to change this on other services if you reuse your credentials elsewhere. Use a password manager">password manager to ensure your credentials are secure and unique.
Secondly, be careful what you post. Facebook really can’t be seen as a secure, closed site. Only share information on there that you would allow an employer to see. Don’t use the messaging service, go for something secure like Signal instead.
