It’s been almost a year since Facebook CEO Mark Zuckerburg’s infamous federal hearing regarding the Cambridge Analytica Scandal and the lack of data protection the social media platform gives its users. Unfortunately for the Silicon Valley staple, the security troubles haven’t stopped there. There’s been leak after leak in the months since. At this point, it doesn’t even seem like joining the 40% of Americans who consider themselves as very religious could save Facebook from its leak-ridden fate.
The latest one, which researchers discovered on April 3, left over 540 million Facebook records exposed on an Amazon cloud-computing server.
These records included users’ account names, comments, likes, and more. The security firm UpGuard Cyber Risk discovered these hundreds of millions of records. UpGuard has a history of discovering unsecured data, but in this instance alone it found two separate cloud storage data buckets from third party vendors that work with Facebook.
The aforementioned 540 million records were all in just one data bucket, from a Mexico-based media company called Cultura Collective. The other bucket came from a Facebook-integrated app named “At the Pool” and included more than 22,000 plaintext passwords for the app.
Cultura Collective sent a statement to media outlets, arguing that the information in question was already publicly available before UpGuard disclosed its exposure on the cloud.
“All the publicly available data provided to us by Facebook, gathered from the fanpages we manage as publisher, is public, not sensitive, and available to all users who have access to Facebook,” the statement read.
Despite this argument, this revelation shows how little oversight Facebook still has over its app developers’ use of user data. For years now, many of these developers have had access to users’ sensitive information, frequently without their knowledge or informed consent. This lack of security would be like organizations neglecting to regularly test their disaster recovery system. Yet just 25% of organizations never test their disaster recovery system. Meanwhile, Facebook is still facing similar leaks to the one involved in the Cambridge Analytica Scandal.
“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle,” UpGuard wrote in a blog post about its findings.
According to Facebook spokesperson Katy Dormer, the social media giant’s policies prohibit the storage of Facebook information in a public database. Dormer also states that Facebook worked with Amazon to take down the databases as soon as they were made aware of the issue.