540 Million Facebook Accounts Exposed on Vulnerable AWS Servers

The sensitive information of 540 million Facebook users has been exposed on Amazon Web Services. The breach was uncovered by cyber security firm UpGuard and includes things such as comments, FB IDs, and account names. The problem was discovered January 28th, and reported to AWS on February 1st.

“The UpGuard Cyber Risk team can now report that two more third-party developed Facebook app datasets have been found exposed to the public internet,” the company said in a post to its company site detailing its report to Amazon. “One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more.”

UpGuard goes on to say that when it returned on February 21st to check up on the vulnerability and see that it had been fixed, its found that its warnings had gone unheeded. It was only after Bloomberg News contacted Facebook for comment on the breach on April 3rd that the breach was finally fixed.

Facebook Third Part App Security

In its assessment of the situation, UpGuard highlights the problem of user data vulnerability being inherent to Facebook’s app developers collecting information about users. The disconnect lies in the fact that although Facebook facilitates the data being transferred, it has no responsibility to subsequently ensure the protection of that data.

“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the post said. “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”

Facebook has been hit with a number of security breaches in recent memory. However, given the company’s business model of allowing third-parties access to their users, it’s unlikely that changes, if any, will be coming in the near future.

Source: https://www.upguard.com/breaches/facebook-user-data-leak