Skip to Content
Security & privacy

Here we go again: 540 million records of Facebook users leaked by app developers

The regular occurrences of data breaches and leaks are grim reminders that no matter how careful you are with your online profiles, your information is just one server misconfiguration away from being exposed publicly.

Take Facebook, for instance. From the Cambridge Analytica fiasco, to the more recent revelation that it’s storing some passwords in plain text, it seems like there is always something about the social media giant that’s putting its users’ information at risk.

So brace yourself yet again. If you are (or were) a Facebook user, you should definitely read more about this latest round of exposed Facebook user data.

540 million Facebook records exposed

More than half a billion records of Facebook users have been exposed publicly on Amazon servers by third-party app developers, security company Upguard revealed recently.

According to the report, two separate Facebook app data sets were stored in their own Amazon S3 cloud server buckets but both were configured to allow the files to be downloaded by anyone.

The bigger dataset belongs to a Mexico-based media company called Cultura Colectiva. This massive 146 GB file contains over 540 million records of Facebook users, and it includes comments, likes, reactions, account names and Facebook IDs.

The other dataset is a backup from a Facebook app called “At the Pool” and contains records of user IDs, friends, likes, interests, check-ins, groups and alarmingly, the unprotected plain-text Facebook passwords of 22,000 users. The researchers said that the “At the Pool” app ceased its operation in 2014.

As of this writing, the actual number of affected Facebook users is still unknown but both data sets have since been secured after Facebook was contacted regarding their existence.

Facebook responds to news of leak

It’s still not known how long these data sets have been made publicly available or if they’ve been accessed by anyone, but similar to the Cambridge Analytica scandal, it just highlights Facebook’s lax control over the data it provided its third-party developers in the past.

Facebook may have tightened its control over the user data that’s available to third-party apps (due to the Cambridge Analytica fallout) but the massive amount of information that’s already been collected is still out there, just one misconfigured server away from being breached.

“… As these exposures show, the data genie cannot be put back in the bottle,” Upguard wrote in its official blog post. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.

“Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak,” the Upguard researchers continued.

In response to the latest round of leaks, here’s Facebook’s official statement:

“Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

Are you at risk from this Facebook leak?

Now, although these Facebook leaks don’t contain sensitive financial information like credit card numbers and Social Security numbers, this data, unfortunately, can still be used for identity theft.

Combined with data from other breaches (widely available on the dark web), a hacker can definitely build a more complete and accurate profile on an individual. Additionally, the variety of detailed personal information included in these data sets can be used to launch social engineering attacks.

Review your Facebook apps and think twice before using one

This is the main reason you should be careful about allowing third-party apps and websites to integrate with your Facebook account and exchange data with them.

You don’t really know what that little quiz, photo app, or game might do with all the Facebook data you gave them access to. While there is no denying that this integration can be convenient, it also has a big potential for abuse.

Some apps go beyond your basic profile info and ask for more data than they ought to. If you’re not careful about granting these permissions, an app can wind up mining even your most personal data.

With that said, check, review and audit your Facebook third-party apps. Throw out the outdated, delete the unwanted, kill the unused, remove all the suspicious apps lurking in your Facebook account as soon as you can.




cryptocurrency e-book hero

New eBook: ‘Cryptocurrency 101’

Don't want to lose your dough to crypto? Check out my new eBook, "Cryptocurrency 101." I walk you through buying, selling, mining and more!

Check it out