BlankMillions of Facebook user records left exposed online, researchers say .
Tony
Romm;Elizabeth Dwoskin.
More than 540 million Facebook records - including users' comments, likes,
account
names and more - were left exposed by a third-party company on an Amazon
cloud-computing server, researchers disclosed on Wednesday, marking the latest
major
privacy and security mishap to plague the social networking giant. The trove is
one
of two data sets discovered to be in full public view by the security firm
UpGuard,
which also raised alarms with an app developer that mishandled Facebook records
that
included users' interests and potentially their app passwords. Facebook said
its
policies prohibit app developers from "storing information in a public
database,"
adding in a statement Wednesday that it has worked with Amazon to take them
down.
(Amazon founder and chief executive Jeff Bezos owns The Washington Post.) "We
are
committed to working with the developers on our platform to protect people's
data,"
Facebook said. But the fact that such a vast, full cache of sensitive personal
information could have been accessed by anyone online raises fresh questions
about
Facebook's efforts to protect its users' privacy. The report from UpGuard comes
almost a year after revelations that Cambridge Analytica, a political
consultancy,
improperly accessed the personal data of 87 million Facebook users with the aid
of a
quiz app. The exposure of Facebook's data also illustrated a hard reality: Once
accessed or obtained, personal data can live forever. "All of the data passed
from
Facebook to literally millions of developers needs to be managed," said Greg
Pollock,
a vice president at UpGuard. "I don't know that Facebook can clean up the mess
they've made. It's an oil spill - that data is out there. The first set of
records
appears to belong to a Mexican media company, Cultura Colectiva, which
improperly
stored data about people's friends, likes, photos, music, location check-ins
and
groups on a public Amazon server. Pollock said that UpGuard in January tried to
notify the organization that its cache of Facebook information had been left
open for
anyone to download but received no reply. The second set of mishandled Facebook
records originated with a third-party app called At The Pool, which ceased
operations
in 2014. Stored on Amazon was a trove of data that included names, email
addresses
and 22,000 users' passwords, according to UpGuard, which could not say how long
that
information had been left exposed. The firm expressed concern that Facebook
users who
set the same password on multiple sites and services could be at the greatest
risk.
Cultura Colectiva spokesman Daniel Peralta said in a statement that all the
data
provided to the company by Facebook was gathered from the fan pages the company
manages as a publisher, which is "public, not sensitive, and available to all
users
who have access to Facebook. At The Pool did not respond to a request for
comment.
The revelations - first reported by Bloomberg News - added to Facebook's
mounting
privacy woes, which have triggered numerous investigations. At the same time,
Facebook chief executive Mark Zuckerberg has embarked on a wholesale
reimagining of
the way users interact with one another on the social networking site - and the
data
the company collects. On Saturday, he endorsed the broad contours of new
regulation
targeting the ways that tech giants tap consumers' personal data. Before 2015,
Facebook made it relatively easy for an outside developer to access the
profiles of
people who signed up for their services and also their friends. Such
permissions were
abused by the academic developer working with Cambridge Analytica. It was
unclear
whether Cultura Colectiva accessed this data before 2015 or afterward, when
Facebook
put in place more stringent restrictions on developers. After the Cambridge
scandal
broke in 2018, Facebook further restricted developer access and embarked on a
wholesale review of third-party apps.