This article is more than 1 year old

It's time to reset the 'Days without a Facebook data loss' sign after 500 million records left exposed on AWS

App devs fail to lock down their databases, yet again

The details of millions of Facebook accounts have been left ripe for harvesting thanks to a pair of careless developers.

Professional Shodan jockey Chris Vickery of Upguard spotted a pair of exposed AWS S3 buckets that appear to belong to the coders behind Cultura Colectiva and At the Pool, a pair of third-party apps for Facebook.

Vickery noted that, of the two, the Cultura Colectiva database was by far the larger of the caches. That database held about 540 million records from Facebook users, mostly in Mexico and Latin America, who subscribed to the Spanish-language news and culture app.

The exposed Cultura Colectiva database included information such as user comments, likes, reactions, Facebook ID number, and account names of the people who had opted in to the Cultura Colectiva Facebook app. While the data is not particularly sensitive, Vickery said it was important from a marketing standpoint, as it would allow publishers and marketers to see which stories and videos were generating the most traffic and comments.

Vickery added that despite multiple attempts at contact the firm dating back to January 10, Cultura Colectiva did not respond or act on the exposed data, which was only taken down after Upguard's report went live.

Sinking At The Pool

Meanwhile, the "At The Pool" database was relatively smaller in size, at just 22,000 accounts, but contained much more sensitive information than that of Cultura Colectiva. Among the datasets left open to the public internet was user IDs, likes, friends, favorite movies and books, photos, and passwords for the since-defunct app. Considering people's propensity to reuse passwords, it is likely that a number of the exposed log-ins would also work for other accounts.

The incident puts Facebook in a particularly bad position. On the one hand, the social network has no control over how third-party developers handle data and what sort of methods they use to protect it and secure it.

Spilling email all over the place

That marketing email database that exposed 809 million contact records? Maybe make that two-BILLION-plus?


On the other hand, when something like this happens, it is House Zuck that ends up catching the heat, even though Facebook's own staff had nothing to do with the exposure itself.

"For app developers on Facebook, part of the platform’s appeal is access to some slice of the data generated by and about Facebook users," Vickery noted.

"For Cultura Colectiva, data on responses to each post allows them to tune an algorithm for predicting which future content will generate the most traffic. The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control."

The Register has contacted Facebook in hopes of finding out what, if anything, it can do to wipe developer databases that are left open. At the time of publication we have yet to hear back. ®

More about


Send us news

Other stories you might like