Security Firm Finds Millions of Facebook Data Files Were Stored on Amazon’s Public Cloud Servers

UpGuard's report points to third parties

According to UpGuard, the files were stored in a way that allowed for them to be publicly downloaded. Getty Images
Headshot of Marty Swant

A cybersecurity firm says it has found millions of Facebook user files stored on a public Amazon cloud server.

According to UpGuard, more than 540 million records with user information including comments, likes, reactions, names and Facebook IDs were exposed on the public internet through third-party data sets totaling 146 gigabytes. The files, revealed today, were stored on Amazon’s S3 cloud storage and originated from Mexico-based media company Cultura Colectiva and the former Facebook-integrated app “At The Pool.”

According to UpGuard, the files—which also contained data about user interests, relationships and interactions—were stored in a way that allowed them to be publicly downloaded.

“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access,” according to the report. “But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

UpGuard said it first notified Cultura Colectiva of the security risk back in early January but received no response. An email to Amazon on Jan. 28, which Amazon then responded to on Feb. 1, contained info explaining that the data bucket’s owner was informed of the risk.

UpGuard said the data wasn’t secured until today—and only after Facebook received a request for comment from Bloomberg News, which was the first to report the data exposure. (At that point, data was then stored in a AWS S3 bucket titled “cc-datalake,” according to UpGuard.)

“Facebook’s policies prohibit storing Facebook information in a public database,” a Facebook spokesperson wrote in an email to Adweek. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

In an email on Wednesday evening, an Amazon spokesperson said AWS customers “own and fully control their data.”

“When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here,” the spokesperson said. “While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content.”

The spokesperson added: “As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended.”

Facebook’s spent the past year grappling with issues of data privacy and user trust, stemming from when it booted the British firm Cambridge Analytica off its platform for misusing personal data. It’s also not the first time user data was exposed publicly.

In September, the company revealed that as many as 50 million users had their data exposed and potentially exploited by hackers. And just yesterday, it stopped asking users for their personal email passwords as a way of verifying their accounts—a practice that received wide criticism from security experts.

This story has been updated with comment from Amazon.

@martyswant Marty Swant is a former technology staff writer for Adweek.