Home Cyber Security News Latest Facebook Data Breach Totals Over 540 Million Records Found Unsecured

Latest Facebook Data Breach Totals Over 540 Million Records Found Unsecured

by Abeerah Hashim
Facebook responds to data leak of 533 million

Facebook are seemingly always in the limelight, but not for the right reasons. Once again, it made it to the news because of another privacy breach – again, affecting millions. The recent Facebook data breach also resembles Cambridge Analytica.

Reportedly, security researchers at UpGuard found two separate instances of data leakage belonging to Facebook users. As discovered, the two leaky databases link back to third-party Facebook app developers. This recent incident, as always affected millions of users. Precisely, it exposed more than 540 million records.

Third-Party Apps Leading To Facebook Data Breach

Reportedly, the first instance involves a Mexican firm Cultura Colectiva that exposed the database containing 540 million records (146 gigabytes.) The breached details include users’ Facebook IDs, account names, and their activities, such as likes, comments, and reactions, etc.

The second instance is a relatively smaller one. The exposed database belonged to a previous Facebook-integrated app ‘At the Pool’ that ceased functioning since 2014. The exposed details precisely include 22,000 passwords in plain text. Regarding this database, UpGuard stated,

“This database backup contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more. The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account.”

The researchers found both the databases left exposed on unsecured Amazon S3 buckets. They initially discovered the exposed Cultura Colectiva dataset in January 2019. Despite multiple emails to the developers and contacting AWS, they failed to secure the data. After Bloomberg’s query for comment to Facebook, the data finally was secured on April 3, 2019.

Regarding the other database, it went offline while UpGuard was analyzing the incident.

“It is unknown if this is a coincidence, if there was a hosting period lapse, or if a responsible party became aware of the exposure at that time. Regardless, the application is no longer active and all signs point to its parent company having shut down.”

About this incident, Kevin Gosschalk, CEO, Arkose Labs, told LHN,

“Social media companies are one of the most lucrative targets for cybercriminals because of all the personal identifiable information they collect and store. With 22,000 passwords left exposed to the public, it’s almost certain that they’re already available on the dark web, along with the account names included in the 540 million exposed records, for use in future cyberattacks.”

Poor Data Protection Poses A Persistent Threat

Facebook has a history of privacy breaches via third-parties. Besides the infamous Cambridge Analytica, many other such incidents have also happened. In June 2018, a once-popular Facebook app ‘NameTests’ publicly exposed 120 million records. Then, in August 2018, Facebook banned another app ‘MyPersonality’ for mishandling the data of 4 million Facebook users. Even before and after this event, Facebook banned hundreds of other apps for suspected improper handling of user data.

Perhaps, owing to the amount of incidents, Facebook expanded the scope of its bug bounty program to cover third-party apps in September 2018. However, that too seems not as useful, since the recent breach involving third-party apps tops all the previous incidents, exposing 540 million records with 22,000 passwords.

As stated by UpGuard,

“Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

Certainly, data collection and its subsequent handling by the firms isn’t easy as they remain vulnerable to breaches and hacks. But, such firms are held responsible and should be more vigilant towards data security.

According to Kevin Gosschalk,

“Collecting massive amounts of data comes with the massive responsibility of protecting it, and the threats are not going away. This data will be used in account takeover attacks and for synthetic account creation, and companies must prepare to protect themselves. Companies need to be proactively monitoring their attack surface and shift their focus to proactive prevention — not reactive mitigation — when it comes to cyber attacks moving forward.”

For now, Facebook users must remain cautious while sharing their personal details online. The less you share, the better.

You may also like

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid