Researchers at the cybersecurity company UpGuard today revealed that they found two sets of data – one from Mexican media company named Cultura Colectiva and the other from an integrated Facebook application called “At the pool” – both left publicly accessible on the Internet.
More than 146 GB of data collected by Cultura Colectiva contains more than 540 million Facebook user data, including comments, likes, reactions, account names, Facebook user IDs, and more. The second dataset of the application “At the Pool” contains information about friends, likes, groups, and location of user check-ins, as well as “names, plaintext passwords, and email addresses for 22,000 people.”
Although UpGuard believes that the plaintext password found in the database is for the At the Pool application, and not for the user’s Facebook account, given the fact that people often reuse the same password for some applications, many leaked passwords can be used to access the account Facebook.
“When Facebook faced scrutiny over its data surveillance practices, they have made efforts to reduce third-party access. But as this exposure shows, the data cannot be put back into the bottle. Data about Facebook users has spread far beyond the limit.
Both datasets are stored on the Amazon S3 server without security, which has now been secured and turned off after Upguard, Facebook and the media contact Amazon. This is not the first time a third party company has collected or misused Facebook data and sometimes leaked it to the public. The most famous incident was the Cambridge Analytica scandal in which political data companies collected and misused data incorrectly on 87 million users through a seemingly harmless quiz app.
Although since then Facebook has tightened its privacy controls to ensure that applications use their access properly, the social media company still faces harsh pressure and criticism for not doing enough to offer privacy and better security for its 2.3 billion users.