Cybersecurity researchers on Wednesday said they found hundreds of millions of Facebook user records exposed publicly online.
Upguard, a cybersecurity firm, in a report found two third-party Facebook app makers had inadvertently exposed data sets containing troves of Facebook users’ personal information on Amazon cloud computing services.
The data contained details including Facebook users’ comments, likes and names. The information was collected by the third-party Facebook apps and stored on Amazon’s cloud.{mosads}
“Facebook’s policies prohibit storing Facebook information in a public database,” a Facebook spokesperson told The Hill. “Once alerted to the issue, we worked with Amazon to take down the databases.”
“We are committed to working with the developers on our platform to protect people’s data,” the spokesperson added.
Mexico-based company Cultura Colectiva left 540 million records exposed on Amazon’s cloud without a password, according to the researchers, and app maker At The Pool left information on 22,000 Facebook users exposed, including their passwords.
The researchers said those passwords appear to be for At The Pool’s app, but many users use the same password for multiple accounts.
The public data sets include information on “Facebook users, describing their interests, relationships, and interactions, that were available to third party developers” who made apps for Facebook.
The findings were first reported by Bloomberg News.
The latest privacy breach comes a little more than a year after revelations that Cambridge Analytica, a conservative public relations firm, obtained data on hundreds of millions of Facebook users from a researcher who collected the information through a third-party app on the platform.
It also comes weeks after Facebook announced that, for years, “hundreds of millions” of users’ passwords had been stored in unprotected plain text accessible by the company’s employees.
Facebook has been facing intense pressure and scrutiny over its privacy practices, as critics accuse the company of failing to properly safeguard users’ data.
Updated 2:12 p.m.