Security Experts:

Connect with us

Hi, what are you looking for?



AWS S3 Buckets Exposed Millions of Facebook Records

Two companies exposed more than 540 million records containing information on Facebook users and their activities by leaving the data unprotected in Amazon Web Services (AWS) S3 buckets.

Two companies exposed more than 540 million records containing information on Facebook users and their activities by leaving the data unprotected in Amazon Web Services (AWS) S3 buckets.

The data was discovered in recent months by risk management solutions provider UpGuard. The company’s researchers identified an unprotected S3 bucket belonging to a Mexico-based digital media publisher named Cultura Colectiva.

The bucket stored 146 gigabytes of files containing more than 540 million Facebook-related records, including account names, comments, likes, and Facebook IDs. It’s unclear how many unique users are impacted, but Cultura Colectiva, which publishes content for sharing on social media networks, has nearly 24 million followers on Facebook.

The second exposed AWS bucket was associated with a defunct application called “At the Pool.” This database also stored information on Facebook customers and their interests, but it also included names, email addresses and plaintext passwords for 22,000 users. While the passwords were likely associated with At the Pool accounts, they could have also exposed Facebook and other accounts to takeover attempts due to password reuse.

According to UpGuard, the At the Pool data was taken offline while the company was trying to figure out who it belonged to. On the other hand, it took Cultura Colectiva nearly 3 months to secure the data and the company only took action after Facebook and AWS intervened.

Cultura Colectiva is targeted at a Latin American audience, but they also have many users in the United States, where the company opened an office in late 2017.

In a statement posted on Facebook on Wednesday, Cultura Colectiva said it only collects public information that is available to any Facebook user — it claims to use the data to improve user experience. The company says it does not collect sensitive data, such as email addresses and passwords.

Cultura Colectiva says it has taken steps to improve user data security and that it’s committed to comply with Facebook regulations. The social media giant prohibits partners from storing Facebook information in publicly accessible databases.

“Storing user data in S3 buckets is commonplace for every organization operating workloads and accounts in AWS. But as the Facebook issue highlights, they can inadvertently be accessible, and without visibility and context around the behavior in those storage repositories, security teams simply won’t know when there’s a potential vulnerability. At issue is not S3 bucket, but how it’s configured, and the awareness around configuration changes, some of which could end up being disastrous,” Stefan Dyckerhoff, CEO at Lacework, told SecurityWeek.

High-Tech Bridge’s CEO, Ilia Kolochenko, also commented on the incident: “The reported leak is actually not that dramatic: the 540 million record database contains mostly publicly accessible data, while the second database with passwords in plaintext contains just 22,000 records – a drop in the ocean of leaked credentials in 2018.”

“The real problem is that most of the data [reportedly shared by Facebook with its partners] still remains somewhere, with numerous uncontrolled backups and unauthorized copies, some of which are being sold on black market already. It is impossible to control this data, and users’ privacy is at huge risk. Even if they change their passwords, other data such as private messages, for example, or search history – will remain affixed somewhere and often in hands of unscrupulous third parties,” Kolochenko said via email. “Facebook may now face numerous multi-million civil lawsuits and class actions, let alone huge monetary fines and other sanctions by authorities.”

Related: Blur Exposes Information of 2.4 Million Users

Related: Apps Give Facebook Sensitive Health and Other Data

Related: Facebook Faces Criminal Probe of Data Deals

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...