Over half a billion personal Facebook records have been publicly exposed to the internet by two third party app developers, according to researchers at UpGuard.
The security company claimed in a blog post on Wednesday to have found the two datasets stored in Amazon S3 buckets, configured to allow public download of files.
By far the larger of the two comes from Mexico-based media company Cultura Colectiva. The 146GB trove contained over 540 million records including comments, likes, reactions, account names, Facebook IDs and more.
UpGuard claimed the data was being collected by the firm to help it better predict which type of content will generate the most traffic.
The second S3 dataset relates to an app titled At the Pool and includes entries for the following data: fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password and more.
Although the volume of data was much smaller, it still contained 22,000 plain text passwords for the app, which could put users at risk if they reuse credentials across multiple sites.
The At the Pool data was taken offline before UpGuard even had a chance to send a notification email. However, despite having been notified on January 10, it took until April 3 for the larger dataset to be secured.
“The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control. In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security,” explained UpGuard.
“The surface area for protecting the data of Facebook users is thus vast and heterogeneous, and the responsibility for securing it lies with millions of app developers who have built on its platform.”