Millions of data on Facebook which includes account names and plaintext passwords have been found to be have been in two separate publicly exposed app databases.
The very first publicly-exposed dataset has its origin from a media firm, Cultura Colectiva which has its base in Mexico. This dataset contains around 540 million records which include account names, likes, comments, reactions and more. The very next publicly-exposed dataset is a Facebook-integrated app titled ‘At the Pool’. This dataset has exposed plaintext Facebook passwords of nearly 22,000 users. Both these exposed databases have been secured according to the researchers. In the case of the exposed At the Pool database backup, researchers found out that a plain text had Facebook passwords of nearly 22,000 users which were exposed on public internet through an Amazon S3 bucket. The database was also exposing data such as account names, user ID’s, user’s “friends” on Facebook, interests, likes and photos.
“The passwords are presumably for the ‘At the Pool’ app rather than for the user’s Facebook account but would put users at risk who have reused the same password across accounts. This should offer little consolation to the app’s end users whose names, passwords, email addresses, Facebook IDs, and other details were openly exposed for an unknown period of time.”
Researchers informed Facebook regarding the Cultura Colectiva data on 10th January this year but there was no response according to the researchers. “It was not until the morning of April 3rd, 2019, after Facebook was contacted by Bloomberg for comment, that the database backup, inside an AWS S3 storage bucket titled “cc-datalake,” was finally secured,” researchers said. This incident has happened after a couple of weeks when millions of Facebook user passwords were found stored in plain text for years which was discovered in March this year.
“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third-party access. But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users have been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”