Security researchers at UpGuard recently stumbled upon two unprotected cloud databases that together contained millions of data records about Facebook users, describing their interests, relationships, and interactions that were available to third-party developers.
These cloud databases were created by developers that ran third-party apps on Facebook and populated their respective databases with information about comments, likes, reactions, account names, Facebook IDs and other details. One of these databases also contained plain-text passwords that were used by over 22,000 people to log in to a third-party app on Facebook.
One such cloud database belonged to Mexico-based media company Cultura Colectiva and contained over 540 million records detailing comments, likes, reactions, account names, FB IDs and more. The other database contained information about Facebook users collected by the "At The Pool" app prior to its closure in 2014.
Data collected by the app and stored in the unprotected cloud were categorised as fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more.
"The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers.
"As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle.
"Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak," said UpGuard.
Facebook may not be able to prevent data leaks by third-party apps
Ilia Kolochenko, CEO of High-tech Bridge, said that even though the data leaked via the two unprotected dabatases are actually not that dramatic considering that 22,000 passwords in plain text are like a drop in the ocean of leaked credentials in 2018, the real problem is that most of the data [reportedly shared by Facebook with its partners] still remains somewhere, with numerous uncontrolled backups and unauthorized copies, some of which are being sold on black market already. It is impossible to control this data, and users' privacy is at huge risk.
"Even if they change their passwords, other data such as private messages, for example, or search history - will remain affixed somewhere and often in hands of unscrupulous third parties. Facebook may now face numerous multi-million civil lawsuits and class actions, let alone huge monetary fines and other sanctions by authorities," he added.
"With troves of data being shared via APIs across complex cyber supply chains and stored in multiple clouds and data centers, it is more important than ever for organisations to build threat models and perform architectural assessments of not just their systems, but those of their partners and service providers as well. Trust but verify should be part of these modern software supply chains," said Tim Mackey, senior technical evangelist at Synopsys.
"In this case, Facebook partnered with various organisations and transferred user data from Facebook users to those third parties. While it ultimately falls to everyone who touches or stores sensitive data to protect that data, if your organisation is the source of the data you have a duty to your users to protect their information as its shared. This is a key principle of regulations like GDPR which seek to protect user data as it might be processed between organisations and ensure that appropriate safeguards are in place.
"While Facebook may be in the news for continuing security issues, news coverage should serve as a wake-up call that organisations of all sizes can face data protection issues unless clear policies around data ownership are defined and followed. Potential reputational damage isn’t worth taking shortcuts with user data," he added.
"For years, Facebook allowed third-party app developers to access the Facebook data of anyone who logged in with their Facebook accounts, including the basic profile information of everyone on each user's friends list. Although Facebook has rules about how that data can be used and stored, there's little means of Facebook actually enforcing those policies until after some damage has been done.
"Cambridge Analytica was the most high profile case that led to some significant changes in how Facebook interacts with third-party developers, but I suspect there are many troves of Facebook data sitting around where they shouldn't be, including this one. And even though Facebook has limited what information third-party developers can access, there's still nothing Facebook can do about abuse or mishandling until after the fact," said Paul Bischoff, privacy advocate with Comparitech.com.