It’s another Cambridge Analytica-esque disaster
Facebook is once again in the line of fire for data harvesting – cool! A new investigation has found that third-party apps exposed 540 million records of Facebook user’s passwords, comments, account names, likes, and unique Facebook identifiers for all to see.
The two data troves come from Cultura Colectiva, a Mexican company sharing celebrity and entertainment news to an audience of millions, from which the majority of data came from, and the app At the Pool, which hasn’t been running since 2014, but had improperly stored records of 22,000 app users who accessed it with their Facebook. Some of these were available for download for anyone who found them online. It highlights just how simple it is for one service to expose the data of another.
Facebook has undergone intense scrutiny for data abuse and misuse, which culminated in last year’s Cambridge Analytica scandal, where the English political consulting and data mining firm was found to have inappropriately harvested millions of users’ data during the presidential election and Brexit. It led to new privacy and data access policies at Facebook, and the suspension of hundreds of apps. Facebook also last year shared news of its largest security breach in history, clocking in at 30 million compromised accounts. Just last month, it was also reported that the passwords of hundreds of millions of users were accessible to large numbers of Facebook employees. Facebook isn’t directly facilitating this breach though – the data had been stored on Amazon Web Service (AWS), the company’s cloud servers.
What’s concerning is the fact that such a vast number of users’ data had been displayed in external servers, for an unknown amount of time. Prior to the new data access policies, Facebook freely shared data with other companies, even creating the platform Open Graph in 2010 to share data with third party sites. Through Open Graph, developers could request to gain large amounts of user information. The social network now offers rewards for ‘bounty hunter’ researchers who find problems with its third-party apps.
In this new investigation, cybersecurity company UpGuard uncovered 100,000 open Amazon-hosted databases for different types of data, with the exposed users’ details.
“The public doesn’t realise yet that these high-level system administrators and developers, the people that are custodians of this data, they are being either risky or lazy cutting corners. Not enough security is being put into the security side of big data,” Chris Vickery, director cyber risk research at UpGuard, said.
Mark Zuckerberg was asked about the Cultura Colectiva breach in an interview with Good Morning America: “So we’re still looking into this. In general, we work with developers to make sure that they’re respecting people’s information and using it only in ways that they want.”
A spokesperson for Facebook said that Facebook worked with Amazon to have the databases removed, and it remains committed to working with developers to protect user data. So what do you need to do? Avoid granting access to your Facebook account details to any apps you don’t use, and don’t be so tap-happy to click ‘login with Facebook’. Once your data is out there, there’s really no getting it back.