Roger Fingas
Security researchers have uncovered multiple instances of Facebook user data being exposed publicly on Amazon cloud servers, though it's not immediately clear to what extent either company is to blame.
One Mexican business, Cultura Colectiva, was found to be openly storing 540 million Facebook records including ID numbers, comments, reactions, and account names, according to security firm UpGuard. The database was shuttered on Wednesday, but only after Bloomberg contacted Facebook, which in turn spoke to Amazon.
In another example, a server was found with names, passwords, and email addresses for some 22,000 people, associated with defunct app called "At the Pool." UpGuard warned that it didn't know how long that data had been exposed, as access closed in the middle of an investigation.
Even if Facebook isn't directly to blame, the situation may only compound pressure on the social network in the wake of multiple privacy scandals. These include data sharing deals with companies like Apple, Amazon, Microsoft, and Sony, plus people being able to look up strangers based on phone numbers submitted for two-factor authentication. By far the biggest though is Cambridge Analytica, which has attracted investigations by the U.S. and U.K. over voter data collected without most users' consent. In late March Facebook was found keeping "hundreds of millions" of unencrypted passwords on internal servers.
Facebook could potentially end up paying billions in U.S. fines as a result of these breaches.
Earlier this month, CEO Mark Zuckerberg called for new privacy and electoral integrity legislation, further pledging to create an independent body through which people can appeal controversial content decisions.
William Gallagher
Christine McKee
AppleInsider Staff
Chip Loder
Malcolm Owen
13 Comments
Amazon is very very unlikely to be to blame here. They provide cloud computing service to third-parties through Amazon Web Services. My company has switched to these services and is in the process of closing our physical data center operations.
The services they offer are highly configurable. Companies using them are responsible for securing any content that needs securing; there are plenty of tools and methodologies available to do so.
Facebook as an organization seems to be populated by a great many people that know only enough to be incredibly dangerous. How could *anyone* there not have given a second thought to storing unencrypted passwords on a public server or allowing said information to flow to third parties that would do the same. It just boggles the mind.