540 million Facebook user data points leaked by third parties

What do we know so far?

Here’s everything we know so far about Facebook’s massive data leak.

• Two third-party Facebook app developers – Mexico-based Cultura Colectiva and an app called At The Pool – stored a total of about 540 million Facebook user data entries on unsecured Amazon Web Services (AWS) servers.
• The data stored by Cultura Colectiva included more than 540 million “comments, likes, reactions, account names, FB IDs and more” from Facebook users. This data may seem innocuous, but a hacker or scammer could use it to defraud thousands of users.
• Far less data was stored by At The Pool, but their data may have been more dangerous. In addition to their names, email addresses, and other Facebook data, the data included 22,000 plaintext passwords. The researchers assume that these passwords were used for the app, not Facebook. However, anyone using the same password for their other accounts would be at high risk.
• At The Pool’s website has apparently been defunct since 2014. It is therefore likely that the data has been left unsecured at least since then.

The cherry on top: UpGuard, the cybersecurity firm that found and reported the breach, said that even closing the breach was an ordeal. One would hope that companies would respond quickly to protect their users’ data, but this was not the case. Here’s a timeline:

• “[O]ur first notification email went out to Cultura Colectiva on January 10th, 2019. The second email to them went out on January 14th. To this day there has been no response.”
• “[W]e then notified Amazon Web Services of the situation on January 28th. AWS sent a response on February 1st informing us that the bucket’s owner was made aware of the exposure.”
• “When February 21st rolled around and the data was still not secured, we again sent an email to Amazon Web Services.”
• “It was not until the morning of April 3rd, 2019, after Facebook was contacted by Bloomberg for comment, that the database backup […] was finally secured.”

It took almost 3 months for Cultura Colectiva to secure its users’ data. At The Pool’s data was secured much more quickly, but this may have simply been a stroke of good fortune. Their data set was taken offline during UpGuard’s investigation and before they sent any notification emails. However, the data had already been left unsecured for about 5 years.

Why is this important?

If you haven’t been using At The Pool or Cultura Colectiva apps, this breach probably didn’t affect you. However, it has shown how little control Facebook has over how your data is used. Do you know what type of data Facebook and its third-party apps collect about you? Are you sure that every Facebook app you use is storing your private data securely? You may not know until it’s too late.

How to protect yourself

Unfortunately, you have little to no control over how Facebook uses your data once you give it away. The trick is to reduce your data footprint.

• Don’t use third-party Facebook apps. These apps collect data on Facebook and deliver it to third parties who may not be secure. If you don’t want your private data showing up on unsecured servers, don’t use any third-party apps on Facebook.
• Don’t use Facebook. This is a tough ask for many users, but the arguments for leaving Facebook are growing. With more and more data breaches and suspicious activities coming to light every month, more people are questioning whether this free service is worth it.
• Reduce your Facebook activity levels. If you’re not ready to deleted Facebook, the next best thing is to cut down your Facebook use. The less time you spend on Facebook and the less you do on their platform, the less they know about you. When creating or editing your account, don’t provide them with any more data than they need to provide their service.