More than 540 million Facebook records have been left exposed on public internet servers by two more third-party Facebook app datasets, the UpGuard cyber risk team has revealed in a public blog post.
The largest dataset was linked to the Mexican media company Cultura Colectiva who openly stored more than 540 million records, such as accounts names, comments, likes, Facebook IDs and reactions. The other set has been linked to a non-operational Facebook app named At the Pool and was much smaller with just 22,000 records. The latter set, however, contained plaintext passwords.
The Cultura Colectiva dataset was closed on April 2 when Bloomberg first alerted Facebook to the problem, while the second set, of which it was unclear how long it had been open, became inaccessible as UpGuard was looking for it.
For many years, Facebook allowed all app developers to have access to information on anyone using their app as well as access to data on users' friends. Once the data was out of Facebook's hands developers could use it how they wanted.
The misuse of data was only brought to public attention when the Cambridge Analytica scandal, which saw up to 87 million users' data shared without their permission, came to light in March 2018. Since then, a number of scandals involving the use of Facebook data have come to light, most recently it was revealed that a number of security failures that led to the social media giant storing between 200 million to 600 million user passwords in plain text that was searchable by employees.
"The public doesn't realize yet that these high-level systems administrators and developers, the people that are custodians of this data, they are being either risky or lazy or cutting corners," remarked Chris Vickery, director of cyber risk research at UpGuard. "Not enough care is being put into the security side of big data."