Facebook Inc said on Wednesday, April 3, that it removed public databases containing its user data on Amazon.com Inc’s cloud servers after cybersecurity firm UpGuard discovered millions of exposed records.
UpGuard’s Cyber Risk team announced in a blog post on Wednesday that Mexico City-based news website Cultura Colectiva had used Amazon servers to openly store 540 million records on Facebook users, including identification numbers, comments, reactions and account names.
Another database, from an app called At the Pool, listed names, passwords and email addresses of 22,000 people, UpGuard said.
New report from UpGuard: https://t.co/4ly2eirc6E
— UpGuard (@UpGuard) April 3, 2019
Cultura Colectiva said in a statement that all of its Facebook records came from user interactions with its three pages on Facebook and is the same information publicly accessible to anyone browsing those pages.
“Neither sensitive nor private data, like emails or passwords, were amongst those because we do not have access to that kind of data, so we did not put our users’ privacy and security at risk,” Cultura Colectiva said. “We are aware of the potential uses of data in current times, so we have reinforced our security measures to protect the data and privacy of our Facebook fan pages’ users.”
Alex Capecelatro, who was chief executive of At the Pool before it shut down around 2014, did not respond to requests to comment.
Facebook said in its statement that it worked with Amazon to take down the databases once alerted to the issue.
“Facebook’s policies prohibit storing Facebook information in a public database,” the company said.
Facebook has been hit by a number of privacy-related issues, including a glitch that exposed passwords of millions of users stored in readable format within its internal systems to its employees.
Last year, the company came under fire following revelations that Cambridge Analytica obtained personal data of millions of people’s Facebook profiles without their consent.
Facebook has said the data was initially collected by a professor for academic purposes in line with its rules, CNN reported. The information was later transferred to third parties, including Cambridge Analytica, in violation of Facebook’s policies, Facebook has said.
Since then, Facebook has come under scrutiny for offering more of its users’ data to companies than it had previously admitted. Last year, the company also revealed that attackers exploited a bug on the platform to expose the information of nearly 50 million users.
Politicians on both sides of the Atlantic have sharply criticized the company’s data privacy practices. The U.S. Federal Trade Commission is said to be looking to levy a record fine against the company for violating an earlier data privacy agreement.
In October, UK authorities hit Facebook with a £500,000 fine, the maximum possible, over the Cambridge Analytica scandal.
Facebook later announced changes aimed at protecting user data, including an audit of at least thousands of apps that have the right to access Facebook user data.
Amazon did not respond to requests for comment. It has increased efforts to educate customers about the risks associated with storing user data publicly after several such data privacy lapses by its customers made headlines in recent years.
Bloomberg was first to report the news.
The new finding is the latest to highlight Facebook’s struggle to protect the data collected from its more than 2 billion users. It may only increase scrutiny on the company after a year of data privacy scandals.
Researchers at UpGuard, a cybersecurity firm, found troves of Facebook user information hiding in plain sight, inadvertently posted publicly on Amazon’s cloud computing servers https://t.co/CXa4tAFQB0 pic.twitter.com/f4HD1BhbhK
— Bloomberg Technology (@technology) April 3, 2019
By Akanksha Rana, Sayanti Chakraborty and Paresh Dave