Flip that board that says “It’s been _ days since we found a massive pile of unsecured Facebook data” right back to zero, and get ready to reset your passwords again just to be safe. Security researchers discovered hundreds of millions of records on publicly-accessible Amazon cloud servers — including names, passwords, comments, likes, and all the other stuff we should all just assume has already leaked at some point.
Cybersecurity firm Upguard released its findings earlier today. There are two data sets, originating from different sources, both stored in Amazon S3 buckets — no password protection on either one, naturally. They’ve since been taken down.
In this case, it’s not Facebook itself holding the leaky bucket. The data originated from third-party sources, namely a media company called Cultura Colectiva and an app titled “At the Pool.” The former is the larger of the two — according to Upguard, it includes 540 million records on user likes, comments, IDs and more. The latter apparently includes 22,000 Facebook passwords and email addresses.
Upguard apparently tried to contact Cultura Colectiva, with no response. Facebook was apparently only made aware of the issue yesterday, when contacted by Bloomberg, and the databases were down by this morning. A Facebook spokesperson told TNW, “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
Why does that sound familiar? Oh yeah…
- “…we’re making real progress and we are committed to continuing to improve.” — Expanding Our Efforts to Protect Elections in 2019
- “A lot of this work is in the early stages, and we are committed to consulting with experts, advocates, industry partners, and governments — including law enforcement and regulators — around the world to get these decisions right.” — Mark Zuckerberg’s A Privacy-Focused Vision for Social Networking
- “But we are committed to getting it right so Facebook is a safe place for people and their friends.” — Working to Keep Facebook Safe
Facebook’s major defense post-Cambridge Analytica was that it was limiting third-party apps’ access to this very kind of data. But “At the pool,” which was last used in 2014, apparently predates that measure. Upguard warned Facebook’s previous privacy gaffes would continue to echo for all of us: “But as these exposures show, the data genie cannot be put back in the bottle.”