Hundreds of millions of Facebook user records were publicly displayed and accessible on Amazon servers in yet another major privacy incident for the social media giant.

Australian cybersecurity company UpGuard revealed the breach last week, finding records containing sensitive private information of Facebook users being stored on Amazon cloud servers without any protection, meaning they could be viewed and downloaded by anyone that found them.

The records were stored by two third-party Facebook apps and included comments, passwords, photos, names and likes.

The largest dataset belongs to Mexico-based media company Cultura Colectiva, which was openly storing 540 million records, with access only closed after it was reported in the media.

The other app, called At The Pool, stored the passwords and emails of 22,000 users in plaintext.

“The data sets vary in when they were last updated, the data points present and the number of unique individuals in each,” UpGuard said in the post. “What ties them together is that they both contain data about Facebook users, describing their interests, relationships and interactions that were available to third-party developers.”

The passwords stored in the At The Pool dataset were for that specific app rather than for Facebook, but there is significant risk that many users would have duplicated their passwords. The At The Pool parent company’s website has now been taken down. While the data was stored in its own Amazon S3 bucket, it was configured to allow for public downloads.

“This should offer little consolation to the app’s end users whose names, passwords, email addresses, Facebook IDs and other details were openly exposed for an unknown period of time,” UpGuard said.
These third-party apps were previously able to easily access this sort of information from Facebook, until the company cracked down on this following the Cambridge Analytica scandal. An audit conducted by the tech company suspended hundreds of applications for mishandling user data.

“As these exposures show, the data genie cannot be put back in the bottle,” the cybersecurity researchers said. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continue to leak.”

UpGuard said it received no response from Cultura Colectiva when it notified the company of the breach, and Amazon also didn’t act to close access. The dataset was only secured after Facebook was notified of its existence at the start of this month, UpGuard said.

The At The Pool dataset was taken down during the cybersecurity firm’s investigation.

“These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires,” UpGuard said.

“For app developers on Facebook, part of the platform’s appeal is access to some slice of the data generated by and about Facebook users.

“In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”

The access to sensitive data that Facebook apps were given was put in the spotlight last year when it was revealed that political consulting firm Cambridge Analytica had harvested the data of millions of Facebook users without their consent, through an app offering a personality quiz.

It also comes just weeks after it was revealed that millions of Facebook passwords were being stored in plain text on the company’s own internal servers, accessible by employees.

New documents last month also showed that more than 100,000 Australians were caught up in another security breach last year, where Facebook user data on names, contact information and location were accessed.

Freedom of Information documents showed that up to 111,813 Australian Facebook users were impacted by this breach.