Security Experts:

AWS S3 Buckets Exposed Millions of Facebook Records

Two companies exposed more than 540 million records containing information on Facebook users and their activities by leaving the data unprotected in Amazon Web Services (AWS) S3 buckets.

The data was discovered in recent months by risk management solutions provider UpGuard. The company’s researchers identified an unprotected S3 bucket belonging to a Mexico-based digital media publisher named Cultura Colectiva.

The bucket stored 146 gigabytes of files containing more than 540 million Facebook-related records, including account names, comments, likes, and Facebook IDs. It’s unclear how many unique users are impacted, but Cultura Colectiva, which publishes content for sharing on social media networks, has nearly 24 million followers on Facebook.

The second exposed AWS bucket was associated with a defunct application called “At the Pool.” This database also stored information on Facebook customers and their interests, but it also included names, email addresses and plaintext passwords for 22,000 users. While the passwords were likely associated with At the Pool accounts, they could have also exposed Facebook and other accounts to takeover attempts due to password reuse.

According to UpGuard, the At the Pool data was taken offline while the company was trying to figure out who it belonged to. On the other hand, it took Cultura Colectiva nearly 3 months to secure the data and the company only took action after Facebook and AWS intervened.

Cultura Colectiva is targeted at a Latin American audience, but they also have many users in the United States, where the company opened an office in late 2017.

In a statement posted on Facebook on Wednesday, Cultura Colectiva said it only collects public information that is available to any Facebook user -- it claims to use the data to improve user experience. The company says it does not collect sensitive data, such as email addresses and passwords.

Cultura Colectiva says it has taken steps to improve user data security and that it’s committed to comply with Facebook regulations. The social media giant prohibits partners from storing Facebook information in publicly accessible databases.

“Storing user data in S3 buckets is commonplace for every organization operating workloads and accounts in AWS. But as the Facebook issue highlights, they can inadvertently be accessible, and without visibility and context around the behavior in those storage repositories, security teams simply won’t know when there’s a potential vulnerability. At issue is not S3 bucket, but how it’s configured, and the awareness around configuration changes, some of which could end up being disastrous,” Stefan Dyckerhoff, CEO at Lacework, told SecurityWeek.

High-Tech Bridge's CEO, Ilia Kolochenko, also commented on the incident: “The reported leak is actually not that dramatic: the 540 million record database contains mostly publicly accessible data, while the second database with passwords in plaintext contains just 22,000 records - a drop in the ocean of leaked credentials in 2018.”

“The real problem is that most of the data [reportedly shared by Facebook with its partners] still remains somewhere, with numerous uncontrolled backups and unauthorized copies, some of which are being sold on black market already. It is impossible to control this data, and users' privacy is at huge risk. Even if they change their passwords, other data such as private messages, for example, or search history - will remain affixed somewhere and often in hands of unscrupulous third parties,” Kolochenko said via email. “Facebook may now face numerous multi-million civil lawsuits and class actions, let alone huge monetary fines and other sanctions by authorities.”

Related: Blur Exposes Information of 2.4 Million Users

Related: Apps Give Facebook Sensitive Health and Other Data

Related: Facebook Faces Criminal Probe of Data Deals

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.