UpGuard, which found the exposed data, said in a blog post that the dataset from Cultura Colectiva was about 146 gigabytes and contained more than 540 million records with comments, likes, reactions, account names, and Facebook IDs.
The database backup from the At the Pool app had columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more.
Though not as large as the Cultura Colectiva dataset, the At the Pool data contained 22,000 user passwords in plaintext.
In the case of the other dataset, UpGuard said it had been taken offline while the company was investigating its likely origin.
"In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security," UpGuard said.
"The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform."
Commenting on the incident, Tenable co-founder and chief technology officer Renaud Deraison said it seemed like there was a security issue discovered in the Facebook ecosystem every week.
"Facebook is giving third-party app developers access to user data," he said. "That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world.
"App developers are focused mainly on bringing new offerings to market quickly - it’s what consumers have come to expect. It looks like Facebook doesn’t have enforced guidelines when it comes to how its partners handle cyber security.
"As long as cyber security remains an afterthought in the digital economy, we’ll continue to see these kinds of easily preventable data leaks."
Mark Perry, Asia Pacific chief technology officer at authentication solution provider Ping Identity, said: “The latest reports of user passwords exposed in plaintext on public servers by Facebook is a lamentable, but all too common, event in the technology industry.
"Tech companies are the custodians of user credentials and other personally identifiable information, a valuable resource in today's world. Data breaches are almost a daily fact of life and consumers are now dismissive of platitudes like 'your privacy is important to us' when these technology SNAFUs prove that many of the companies they trust with their data don't have the technology or processes in place to meet that goal."
Perry said his advice to tech companies was simple: "Encrypt user data at rest and in transit; use up-to-date, off-the-shelf password hashing algorithms; don't write your own security code; monitor attack vectors like APIs using modern, threat-aware solutions; and control access to your services and applications using multi-factor authentication and fine-grained access control for everyone that touches them: end users, developers and system administrators.”
Phil Kernick, co-founder and chief technology officer at information security services provider CQR Consulting, said the breach underlined the reality of the business models of social media platforms – the users are not the customers, they are the product.
"Your data is collected, filtered, aggregated and then sold to any business that agrees to comply with Facebook’s policy of not storing it unprotected," he said.
"Whether these third parties actually comply is a contractual matter with Facebook and the users whose data is compromised have no say in the matter. While Facebook have recently made announcements that they will take a privacy-first approach to user data, this seems to be more a response to avoiding government oversight than genuine care for their users.
"They’ve made these promises before. They’ve broken these promises before. Let’s hope that this time it’s real.”