Over 540 million Facebook records found on exposed AWS servers

April 03, 2019

Data breach hunters have found two Amazon cloud servers storing over 540 million Facebook-related records that have been collected by two third-party companies. The number of affected users is believed to be in the range of millions and tens of millions.

Both servers have been discovered earlier this year by security researchers from UpGuard, a California-based cyber-security firm specialized in identifying data leaks.

Leaks originated at third-party companies

The first server contained most of the data, and belonged to Cultura Colectiva, a Mexico-based online media platform operating across Spanish-speaking Latin America countries.

At a size of 146GB, this AWS server stored over 540 million records detailing user account names, Facebook IDs, comments, likes, reactions, and other data used for analyzing social media feeds and user interactions.

The second AWS server stored data recorded by the “At the Pool” Facebook game. This included details such as the Facebook user ID, a list of Facebook friends, likes, photos, groups, checkins, and user preferences like movies, music, books, interests, and other, along with 22,000 passwords.

“The passwords are presumably for the ‘At the Pool’ app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts,” UpGuard said.

Securing the first server took some time

Securing the first leaky server was a nightmare, UpGuard said in an incident report published today. Cultura Colectiva never responded to the researchers’ emails, and Amazon, despite receiving notifications from UpGuard about the leaky servers, did not take the leaky AWS server down, even if the data exposure was obvious.

It was only after UpGuard notified a Bloomberg reporter of the issue, who in turn contacted Facebook, that Amazon intervened to take down the server –at Facebook’s request, a Facebook’s spokesperson told ZDNet.

On the other hand, the second Amazon server, the one storing the At the Pool app data, was taken down even before UpGuard had a chance to identify and contact the company behind the Facebook game.

“It is unknown if this is a coincidence, if there was a hosting period lapse, or if a responsible party became aware of the exposure at that time. Regardless, the application is no longer active and all signs point to its parent company having shut down,” UpGuard said.

Facebook’s conundrum

These two new leaks show the major conundrum that Facebook is currently facing. The company has one of the best teams of cyber-security experts, adds security-related features to user accounts and its IT infrastructure on a regular basis, and often open-sources many of its internal security tools so other companies can use them as well.

However, the company has lost control over its most important asset –its users’ data– which is now leaking left and right from all the no-name companies and mom-and-pop developer firms who’ve collected it over the past few years.