Facebook user data has been found publicly accessible on the internet, a new report from security researchers says.
Cybersecurity firm UpGuard said it found more than 540 million records – including account names, comments and likes – had been stored publicly on Amazon cloud servers by two different third-party apps.
The incident is the latest in a string of privacy failures to hit the social networking giant, as it faces continued scrutiny over its management of user data and its privacy controls.
Facebook said it had taken down the databases once it was made aware of them.
“Facebook’s policies prohibit storing Facebook information in a public database,” a company spokeswoman said in a statement.
“Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
The company confirmed it was continuing to investigate the incident.
The databases were from a Mexico-based media company called Cultura Colectiva and an app called At The Pool, the security researchers said.
The incident is the latest in a growing catalogue of data issues for the company, following widespread incidents of misinformation being spread on the network, breaches of user data and allegations of political manipulation.
In October last year, Facebook also revealed millions of email addresses, phone numbers and other personal user information were compromised during a security breach, affecting as many as 50 million accounts.
Last month, the company also admitted that millions of Facebook, Facebook Lite and some Instagram users had their passwords stored in plain text, leaving the accounts in question at risk.
Cybersecurity expert Ilia Kolochenko, chief executive of online security firm High-Tech Bridge, said Facebook’s problem was the amount of data it reportedly shared with third parties meant it was losing the ability to stop such leaks.
“The reported leak is actually not that dramatic: the 540 million record database contains mostly publicly accessible data, while the second database with passwords in plain text contains just 22,000 records – a drop in the ocean of leaked credentials in 2018,” he said.
“The real problem is that most of the data – reportedly shared by Facebook with its partners – still remains somewhere, with numerous uncontrolled backups and unauthorised copies, some of which are being sold on the black market already.
“It is impossible to control this data, and users’ privacy is at huge risk. Even if they change their passwords, other data such as private messages, for example, or search history – will remain affixed somewhere and often in hands of unscrupulous third parties.”
