Security Market Segment LS
Thursday, 04 April 2019 09:05

Third-party Facebook app data found sitting on the Web

Third-party Facebook app data found sitting on the Web Image by Simon Steinberger from Pixabay

A security firm has found two third-party developed Facebook app datasets exposed on the Web, one from the Mexico-based media company Cultura Colectiva and the other, a backup, from a Facebook-integrated app called At the Pool. Both were exposed via Amazon S3 buckets.

UpGuard, which found the exposed data, said in a blog post that the dataset from Cultura Colectiva was about 146 gigabytes and contained more than 540 million records with comments, likes, reactions, account names, and Facebook IDs.

The database backup from the At the Pool app had columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more.

Though not as large as the Cultura Colectiva dataset, the At the Pool data contained 22,000 user passwords in plaintext.

UpGuard said it had informed Cultura Colectiva of its find on 10 January and again on 14 January, but had received no response thus far. AWS was informed on 28 January and again on 21 February, but it was only on 3 April when Facebook was contacted by Bloomberg for comment.

In the case of the other dataset, UpGuard said it had been taken offline while the company was investigating its likely origin.

"In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security," UpGuard said.

"The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform."

Commenting on the incident, Tenable co-founder and chief technology officer Renaud Deraison said it seemed like there was a security issue discovered in the Facebook ecosystem every week.

"Facebook is giving third-party app developers access to user data," he said. "That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world.

"App developers are focused mainly on bringing new offerings to market quickly - it’s what consumers have come to expect. It looks like Facebook doesn’t have enforced guidelines when it comes to how its partners handle cyber security.

"As long as cyber security remains an afterthought in the digital economy, we’ll continue to see these kinds of easily preventable data leaks."

Mark Perry, Asia Pacific chief technology officer at authentication solution provider Ping Identity, said: “The latest reports of user passwords exposed in plaintext on public servers by Facebook is a lamentable, but all too common, event in the technology industry.

"Tech companies are the custodians of user credentials and other personally identifiable information, a valuable resource in today's world. Data breaches are almost a daily fact of life and consumers are now dismissive of platitudes like 'your privacy is important to us' when these technology SNAFUs prove that many of the companies they trust with their data don't have the technology or processes in place to meet that goal."

Perry said his advice to tech companies was simple: "Encrypt user data at rest and in transit; use up-to-date, off-the-shelf password hashing algorithms; don't write your own security code; monitor attack vectors like APIs using modern, threat-aware solutions; and control access to your services and applications using multi-factor authentication and fine-grained access control for everyone that touches them: end users, developers and system administrators.”

Phil Kernick, co-founder and chief technology officer at information security services provider CQR Consulting, said the breach underlined the reality of the business models of social media platforms – the users are not the customers, they are the product.

"Your data is collected, filtered, aggregated and then sold to any business that agrees to comply with Facebook’s policy of not storing it unprotected," he said.

"Whether these third parties actually comply is a contractual matter with Facebook and the users whose data is compromised have no say in the matter. While Facebook have recently made announcements that they will take a privacy-first approach to user data, this seems to be more a response to avoiding government oversight than genuine care for their users.

"They’ve made these promises before. They’ve broken these promises before. Let’s hope that this time it’s real.”


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments