Third-party Facebook apps left people’s data publicly exposed, researchers say

The Silicon Valley security firm identified exposures by Mexico-based media company Cultura Colectiva and the now-defunct "At the Pool" app.
(Isriya Paireepairit / Flickr)

Two separate exposures of sensitive information about Facebook users are the latest alarming discoveries by researchers at UpGuard.

In both cases, the operators of third-party apps that connected to Facebook were storing data about people in Amazon Web Services S3 buckets configured for public access, said UpGuard, a Silicon Valley-based security company known for identifying misconfigured cloud services.

One database originated with Mexico-based Cultura Colectiva, while the other was stored by the makers of an app called “At the Pool.” Both had been secured by Wednesday, UpGuard said.

The Cultura Cultiva database is the bigger of the two exposures, including 146 gigabytes of information about comments, likes, reactions, account names, Facebook IDs and more, UpGuard said.


The “At the Pool” discovery, while not nearly as large, “contains plaintext (i.e. unprotected) Facebook passwords for 22,000 users,” UpGuard said. The company appears to have ceased operation in 2014, but this “should offer little consolation to the app’s end users whose names, passwords, email addresses, Facebook IDs, and other details were openly exposed for an unknown period of time.”

UpGuard typically notifies companies about S3 bucket exposures before reporting them publicly. In the case of Cultura Colectiva, UpGuard said it contacted the media company on Jan. 10, but the database in question wasn’t secured until Wednesday morning after Bloomberg News had contacted Cultura Colectiva for comment.

The “At the Pool” exposure was secured more quickly, as it was “taken offline during the time UpGuard was looking into the likely data origin, and prior to a formal notification email being sent,” UpGuard said. “It is unknown if this is a coincidence, if there was a hosting period lapse, or if a responsible party became aware of the exposure at that time.”

The UpGuard report comes as Facebook is still addressing the fallout from the Cambridge Analytica scandal, which highlighted how easily users’ data could end up outside the control of the social media giant’s purview. Facebook later announced it would restrict third-party access to user information.

The company also is cleaning up a mess that doesn’t involve third-party entities: It announced in March that passwords belonging to hundreds of millions of users were stored in an insecure format that could have allowed company employees to access and view login credentials.


“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle,” UpGuard said. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

Other security issues — including “coordinated inauthentic behavior” by political information operations — continue to bedevil Facebook’s engineers, investigators and policymakers.

In the past year or so, UpGuard has identified data exposures involving Brazilian taxpayer data, U.S. voter information, profiles of social media users, and the clients of a French marketing firm.

Amazon Web Services, for its part, can’t guarantee that its users are configuring their S3 storage buckets correctly, but it will work with security researchers to identify customers who have left sensitive information unintentionally exposed. UpGuard said that in the case of Cultura Colectiva, AWS indeed reached out to that company.

Latest Podcasts