AP Photo/Andrew Harnik
- Data on more than 540 million Facebook users was left exposed on public servers by app developers.
- The social network's lax data policies meant that for years developers could easily harvest users' sensitive data - and now it's leaking out.
- Facebook has since tightened up the data the user data accessible to app developers, especially in the wake of the Cambridge Analytica scandal, but at least some damage has already been done.
- "Data about Facebook users has been spread far beyond the bounds of what Facebook can control today," said UpGuard, the security firm that found the leak.
More than 500 million Facebook users' personal data was left exposed on public servers by app developers.
Researchers at security firm UpGuard found that the user data, which had been harvested from Facebook by third-party app developers, was sitting without any password protection on public Amazon servers it had been uploaded to. That data included sensitive information like users' friends, likes, music, photos, events, interests, and check-ins. UpGuard's findings were first reported by Bloomberg.
The vast majority of the records - 540 million users' info - had apparently been uploaded publicly by Cultura Cultiva, a Mexican media company. A second unprotected user data was far smaller, at around 22,000 users, and related to a Facebook-integrated app called "At the Pool" which shut down in 2014.
The findings highlight how Facebook's years of lax oversight over how app developers could access user data has led to a massive proliferation of people's sensitive information across the internet, often without their knowledge or informed consent. Facebook has since tightened up the data the user data accessible to app developers, especially in the wake of the Cambridge Analytica scandal, but at least some damage has already been done.
"As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle," UpGuard wrote in a blog post about its findings on Wednesday.
"Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often mis-configured for public access, and the result is a long tail of data about Facebook users that continues to leak," it writes.
A Facebook spokesperson did not immediately respond to Business Insider's request for comment.
Got a tip? Contact this reporter via encrypted messaging app Signal at +1 (650) 636-6268 using a non-work phone, email at rprice@businessinsider.com, Telegram or WeChat at robaeprice, or Twitter DM at @robaeprice. (PR pitches by email only, please.) You can also contact Business Insider securely via SecureDrop.
Read more:
- Car-bomb fears and stolen prototypes: Inside Facebook's efforts to protect its 80,000 workers around the globe
- Facebook quietly killed its Building 8 skunkworks unit as it reshuffles its cutting-edge experiments and hardware
- Leaked Andreessen Horowitz data reveals how much Silicon Valley startup execs really get paid, from CEOs to Sales VPs