Millions of Facebook Records Found Unsecured on AWSThird-Party Apps Left Facebook Users' Data Accessible in the Cloud
Two third-party Facebook application developers exposed users' personal information by leaving the data exposed without a password in unsecured Amazon Web Services S3 buckets, researchers from the security firm UpGuard said Wednesday. One data set contained 540 million unsecured records, the report found. It's not clear how many users were affected.
For months, UpGuard researchers had attempted to contact the two companies about the exposed user data, but one firm did not remove the personally identifiable information from public view until Bloomberg contacted it about a story this week, UpGuard reports.
The second company has been out of business for several years, UpGuard found.
It's unclear if anyone attempted to access or steal this data before it was discovered, a UpGuard spokeswoman tells Information Security Media Group. It's also not known how long that data was stored without a password within AWS.
Millions of Records Exposed
As part of its research that started earlier this year, UpGuard came across two third-party app developers that gained access to Facebook data and then left that information exposed to the public internet within the AWS cloud.
The first is a company called Cultura Colectiva, a media firm based in Mexico City. The data set that the researchers found contained 146GB with 540 million records, including Facebook IDs, comments, likes, reactions, account names and more, according to UpGuard.
The second firm exposed on AWS a data set containing 22,000 passwords stored in plaintext, as well as other Facebook user data. Because the company's app, called "At the Pool," integrated with Facebook, it's likely users may have used the same passwords for both accounts, according to UpGuard.
Additionally, researchers found a backup database used with the "At the Pool" app that contained file names such as "fb_user," "fb_friends," "fb_likes," and others. The company that created the app is no longer in business and its website returns a 404 error, UpGuard found. The company's name is not mentioned in the report.
In both cases, company data sets were stored in their own Amazon S3 bucket that was configured to allow public downloads of the files and was not password protected.
"Data about Facebook users has been spread far beyond the bounds of what Facebook can control today," the UpGuard researchers write in a blog post published Wednesday. "Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak."
Ongoing Facebook Problems
This latest issue with how Facebook handles its data, coming only a few weeks after the company was caught having user passwords stored in plaintext, is likely to bring further scrutiny to the social media company, which is already facing questions about how Cambridge Analytica accessed information on tens of millions of users.
Facebook CEO Mark Zuckerberg is facing questions both in the U.S. and Europe about the company's record on protecting data privacy and its business practices. In written responses, Facebook told the House Energy and Commerce Committee last year that third-party developers could access users' friends' data, "such as name, gender, birth date, location, photos and page likes" often without consent.
This latest issue involving third parties "could be the tip of the iceberg, given Facebook's notoriously lax information sharing," Mukul Kumar, the CISO and vice president of cyber practice at Cavirin, a Santa Clara, California-based security company, tells ISMG. "However, it probably isn't limited to Facebook, given that other internet properties did much the same."
Facebook and others need to go through their records and reach out to their various partners to secure any customer data, Kumar suggests. "Given that some of these partners may not have the expertise or may no longer exist, Facebook may need to work directly with the public cloud providers, and if they don't take the initiative, the government should intervene."
Facebook Points to Policy
Facebook says that it's against company policy for third-party developers to store any data in an unprotected public cloud.
"Facebook's policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data," a Facebook spokesperson tells ISMG.
Tracking the Data
As part of their project, UpGuard researchers attempted to contact the two companies about the data and its exposure to the public internet.
The "At the Pool" app data mysteriously was closed off after UpGuard made its first queries about it.
"The data was secured as we were analyzing it before we made notification. So there's no info coming our way about what happened in that process," the UpGuard spokeswoman told ISMG.
Closing down the data set belonging to Cultura Colectiva proved more daunting.
Twice in January, UpGuard researchers contacted that company through email but received no response.
After not receiving a response from Cultura Colectiva, UpGuard contacted AWS on Jan. 31, and received a response from Amazon on Feb. 1 that the company was looking into the situation.
However, by Feb. 21, the data was still exposed, UpGuard reports, and it sent a second notice was sent to AWS. The company told UpGuard it would look into the matter.
It wasn't until Wednesday, when Bloomberg contacted Facebook about a potential story, that the database backup, called "cc-datalake," was finally secured within the AWS S3 bucket, according to UpGuard.
In a statement provided to ISMG, an AWS spokesperson said: "AWS customers own and fully control their data. When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here."
The statement continued: "While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content. As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended."
Stefan Dyckerhoff, the CEO at Lacework, a cloud security tool vendor, tells ISMG that while using S3 is common, CISOs and their security teams need to be aware of what's being stored in AWS and other clouds.
"As the Facebook issue highlights, [data] can inadvertently be accessible, and without visibility and context around the behavior in those storage repositories, security teams simply won't know when there's a potential vulnerability," Dyckerhoff says. "At issue is not the S3 bucket, but how it's configured, and the awareness around configuration changes, some of which could end up being disastrous."