Facebook removes 540 mn user data on Amazon servers after breach

Social media network Facebook has removed public databases containing its user data on Amazon.com’s AWS cloud servers after cybersecurity firm UpGuard discovered millions of exposed records.
Facebook for SME
The development follows UpGuard’s Cyber Risk team revealed in a blog post that Mexico City-based news website Cultura Colectiva had used Amazon S3 servers to openly store 540 million records on Facebook users. The user information includes identification numbers, comments, reactions and account names.

Another database, from an app called At the Pool, listed names, passwords and email addresses of 22,000 people, UpGuard said.

Cultura Colectiva said all of its Facebook records came from user interactions with its three pages on Facebook and is the same information publicly accessible to anyone browsing those pages, Reuters reported.

“Neither sensitive nor private data, like emails or passwords, were amongst those because we do not have access to that kind of data, so we did not put our users’ privacy and security at risk,” Cultura Colectiva said. “We are aware of the potential uses of data in current times, so we have reinforced our security measures to protect the data and privacy of our Facebook fan pages’ users.”

Facebook said in its statement on Wednesday that it worked with Amazon to take down the databases once alerted to the issue. “Facebook’s policies prohibit storing Facebook information in a public database.”

A statement from Amazon noted that certain security safeguards of AWS can be overridden by customers, such as the app makers. “While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content,” Amazon said.

Facebook has been hit by a number of privacy-related issues in the recent past, including a glitch that exposed passwords of millions of users stored in readable format within its internal systems to its employees.

Last year, Facebook faced public scrutiny following revelations that Cambridge Analytica accessed personal data of millions of people’s Facebook profiles without their consent.

Facebook later announced changes aimed at protecting user data, including an audit of at least thousands of apps that have the right to access Facebook user data.

Amazon has increased efforts to educate customers about the risks associated with storing user data publicly after several such data privacy lapses by its customers made headlines in recent years.