Another 540 Million Facebook Records, 22,000 Passwords Exposed

Facebook remains a personal identifiable information source that keeps giving. Researchers found two Amazon Web Services servers storing over 540 million records collected by two third-party companies from the social network.

Both servers were discovered by security researchers from Mountain View, Calif.-based UpGuard. The first, for Cultura Colectiva, a Mexico-based online media platform operating across Latin America countries, held 146 GB, over 540 million records listing account names, Facebook IDs, comments, likes, reactions, and other data.

“This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data,” UpGuard said.

(A joint survey by Boston-based BitSight, and the Center for Financial Professionals found the financial services industry’s heavy reliance on third-parties posing a potential cyberdefense vulnerability if the risks are not actively managed.)

The second AWS server, stored data for the “At the Pool” Facebook game, included Facebook user ID, friends’ lists, likes, photos, groups, check-ins, and user preferences like movies, music, books, interests; as well as 22,000 passwords.

“These two situations speak to the inherent problem of mass information collection: the data doesn’t naturally go away, and a derelict storage location may or may not be given the attention it requires,” UpGuard reported. “For app developers on Facebook, part of the platform’s appeal is access to some slice of the data generated by and about Facebook users.”

Facebook’s privacy issues intensified last year when the social network revealed cyberattackers took advantage of its code to access – and possibly expose – the personal information of nearly 185 million user accounts.

Paul Bischoff, privacy advocate at the U.K.-based Comparitech.com, explained why this seems to be a common occurrence: “For years, Facebook allowed third-party app developers to access the Facebook data of anyone who logged in with their Facebook accounts, including the basic profile information of everyone on each user’s friends list.” He added Facebook has rules about use and storage of that data, but there’s little means of Facebook actually enforcing those policies until after some damage has been done.

“Permissions on platforms are not always clear to users, for example what an app can do when granted rights to your profile. Small and large app providers can be reckless in handling data trusted to them. Many would believe smaller organizations tend to lack the policies and processes to properly handle PII,” Rod Simmons, vice president of product strategy at Hawthorne, N.J.-based STEALTHbits Technologies, said. “Many of us want to blame Facebook because they are the big bad company but this is just misuse of data.”

Colin Bastable, CEO of Austin, Texas-based Lucy Security, suggested consumers knowingly give up their personal data. “Social media users have made a deal with the devil, and my take is that Facebook is living up to their part of the deal. By now, Facebook probably has a reasonable ‘Caveat Emptor’ legal defense against data leakage, because one would have to be a hermit living under a rock not to know that Facebook is security-incontinent, and ruthlessly sells all user data.”

Tim Erlin, vice president, product management and strategy at Portland, Ore.-based Tripwire, noted, “This isn’t the first time that we’ve seen sensitive data exposed on unprotected cloud storage. Organizations can’t transfer responsibility for securing sensitive data by moving it to the cloud.” Erlin held when it’s technically feasible to continuously monitor Amazon storage settings there’s no excuse for not protecting customer data from this type of breach.

“The more data you collect, the more insights you have into your audiences, but your likelihood of getting hacked also grows. Your data security risk is even greater the more you do business with digital third parties,” Mike Bittner, digital security and operations manager at McLean, Va.-based The Media Trust, warned. “Your security posture is only as strong as your weakest link — and that link is likely a digital third party who has weak security practices in place, or has rushed a product to market with little or no attention to data security and privacy.”

The exposed data will be used in account takeover attacks and for synthetic account creation, Kevin Gosschalk, CEO, San Francisco-based Arkose Labs, maintained, “Social media companies are one of the most lucrative targets for cybercriminals because of all the personal identifiable information they collect and store. With 22,000 passwords left exposed to the public, it’s almost certain that they’re already available on the dark web, along with the account names included in the 540 million exposed records.”

Robert Prigge, president, Palo Alto, Calif.-based payment/ID verification company Jumio, pointed out, “Traditional authentication methods, like two-factor authentication and knowledge-based authentication, are no longer reliable or secure. Companies need to embrace emerging technology, such as artificial intelligence, augmented intelligence and machine learning, and adopt new authentication methods, like biometric-based authentication, to fight automated fraud and protect their online ecosystems.”

Meanwhile, Facebook continues to collect data. Reports surfaced last summer that Facebook is working with several financial institutions to incorporate customers’ personal financial data, including credit and debit card transactions and checking account balances, to extend the Facebook footprint. Recently Facebook has also prompted some new users to hand over the email account passwords.

“There is no reason, ever, under any circumstances, that a third party should be asking for your password. This is about the worst thing you can do from a security perspective,” George Cerbone, principal solutions architect, at Aliso Viejo, Calif.-based One Identity, said.