Third-party devs leak millions of Facebook records

Security researchers claim to have discovered another data breach in the social media platform Facebook with more than 540 million user records affected - though the principle blame lies at the feet of third-party developers, rather than Facebook itself.

In what is becoming a common occurrence for the world's most popular social network, Facebook has reportedly suffered a severe data breach which has leaked 540 million user records including, researchers at security firm UpGuard claim, comments, likes, reactions, account names, Facebook identifiers, and in a small number of cases passwords. Unlike the most recent breach in March, which was entirely Facebook's fault, the two breaches detected by UpGuard can be blamed on third-party app developers - though Facebook holds culpability for allowing them to capture such information in the first place.

'The UpGuard Cyber Risk team can now report that two more third-party developed Facebook app datasets have been found exposed to the public internet,' the company's write-up states. 'One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more. This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data.

'A separate backup from a Facebook-integrated app titled "At the Pool" was also found exposed to the public internet via an Amazon S3 bucket. This database backup contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more. The passwords are presumably for the "At the Pool" app rather than for the user's Facebook account, but would put users at risk who have reused the same password across accounts.'

Of the two data sets, the Cultura Collectiva is the largest; the At the Pool breach, meanwhile, is significantly smaller but contains plain-text passwords for some 22,000 user accounts - though, given the app was discontinued in 2014, these are likely to be outdated.

UpGuard argues that, while the two third-party developers are responsible for the breaches themselves, Facebook cannot escape blame. 'As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle,' the company explains. 'Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.

'These two situations speak to the inherent problem of mass information collection: the data doesn't naturally go away, and a derelict storage location may or may not be given the attention it requires. For app developers on Facebook, part of the platform’s appeal is access to some slice of the data generated by and about Facebook users. For Cultura Colectiva, data on responses to each post allows them to tune an algorithm for predicting which future content will generate the most traffic. The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook's control. In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security. The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform.'

UpGuard's full write-up is available on the company website.