Facebook are seemingly always in the limelight, but not for the right reasons. Once again, it made it to the news because of another privacy breach – again, affecting millions. The recent Facebook data breach also resembles Cambridge Analytica.
Reportedly, security researchers at UpGuard found two separate instances of data leakage belonging to Facebook users. As discovered, the two leaky databases link back to third-party Facebook app developers. This recent incident, as always affected millions of users. Precisely, it exposed more than 540 million records.
Third-Party Apps Leading To Facebook Data Breach
Reportedly, the first instance involves a Mexican firm Cultura Colectiva that exposed the database containing 540 million records (146 gigabytes.) The breached details include users’ Facebook IDs, account names, and their activities, such as likes, comments, and reactions, etc.
The second instance is a relatively smaller one. The exposed database belonged to a previous Facebook-integrated app ‘At the Pool’ that ceased functioning since 2014. The exposed details precisely include 22,000 passwords in plain text. Regarding this database, UpGuard stated,
“This database backup contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more. The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account.”
The researchers found both the databases left exposed on unsecured Amazon S3 buckets. They initially discovered the exposed Cultura Colectiva dataset in January 2019. Despite multiple emails to the developers and contacting AWS, they failed to secure the data. After Bloomberg’s query for comment to Facebook, the data finally was secured on April 3, 2019.
Regarding the other database, it went offline while UpGuard was analyzing the incident.
“It is unknown if this is a coincidence, if there was a hosting period lapse, or if a responsible party became aware of the exposure at that time. Regardless, the application is no longer active and all signs point to its parent company having shut down.”
About this incident, Kevin Gosschalk, CEO, Arkose Labs, told LHN,
“Social media companies are one of the most lucrative targets for cybercriminals because of all the personal identifiable information they collect and store. With 22,000 passwords left exposed to the public, it’s almost certain that they’re already available on the dark web, along with the account names included in the 540 million exposed records, for use in future cyberattacks.”
Poor Data Protection Poses A Persistent Threat
Facebook has a history of privacy breaches via third-parties. Besides the infamous Cambridge Analytica, many other such incidents have also happened. In June 2018, a once-popular Facebook app ‘NameTests’ publicly exposed 120 million records. Then, in August 2018, Facebook banned another app ‘MyPersonality’ for mishandling the data of 4 million Facebook users. Even before and after this event, Facebook banned hundreds of other apps for suspected improper handling of user data.
Perhaps, owing to the amount of incidents, Facebook expanded the scope of its bug bounty program to cover third-party apps in September 2018. However, that too seems not as useful, since the recent breach involving third-party apps tops all the previous incidents, exposing 540 million records with 22,000 passwords.
As stated by UpGuard,
“Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”
Certainly, data collection and its subsequent handling by the firms isn’t easy as they remain vulnerable to breaches and hacks. But, such firms are held responsible and should be more vigilant towards data security.
According to Kevin Gosschalk,
“Collecting massive amounts of data comes with the massive responsibility of protecting it, and the threats are not going away. This data will be used in account takeover attacks and for synthetic account creation, and companies must prepare to protect themselves. Companies need to be proactively monitoring their attack surface and shift their focus to proactive prevention — not reactive mitigation — when it comes to cyber attacks moving forward.”
For now, Facebook users must remain cautious while sharing their personal details online. The less you share, the better.