Hundreds of Millions of Facebook user records have been found by security researchers sitting on an inadvertently public storage server.
The two batches of user records were collected and exposed from two third-party companies, according to UpGuard security researchers who found the data.
In the researchers’ write-up, Mexico-based Cultura Colectiva left more than 540 million records — including comments, likes, reactions, account names and more — were stored on the Amazon S3 storage server without a password, allowing anyone to access the data. Another backup file by defunct California-based app maker At The Pool contained even more sensitive data, including scraped data on over 22,000 users of its apps, including each account user’s friends lists, interests, photos, group memberships, and check-ins.
A Facebook spokesperson told TechCrunch that there’s no evidence to show the data has been misused but that the company is investigating.
“Facebook’s policies prohibit storing Facebook information in a public database,” said the spokesperson. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
Chris Vickery, director of cyber risk research at UpGuard, told TechCrunch: “These finds continue to highlight the problems which plague companies that depend on mass data collection.”
“Storing personal information collected from end users is a liability,” said Vickery. “The more you have, the greater that liability becomes.”