Third-party errors left over 540 million Facebook records exposed

Data sharing is only as secure as the weakest link in the chain.

Facebook is embroiled in another privacy scandal, although this time it's not of the company's direct making. UpGuard researchers have discovered over 540 million Facebook interaction records left exposed by third parties using Amazon's cloud services. Nearly all of them come from Mexican media company Cultura Colectiva, which recorded account names, comments, Facebook IDs and likes, among other details. Another exposure comes from At the Pool, a long-defunct app that left 22,000 passwords unprotected in addition to other sensitive details.

UpGuard didn't have much success getting Amazon to take down the content. It first emailed Cultura Colectiva on January 10th, and Amazon on January 28th. Cultura's data trove wasn't taken down until April 3rd, when Bloomberg reached out to Facebook for a comment. At the Pool's data vanished before a notification email could be sent.

In its response, Facebook said that the company's policies prevented storing data in public databases, and that it worked with Amazon to remove the material.

There's only so much Facebook could have done to keep a lid on the data without storing it internally, and that might have been tricky when Cultura had 146GB of records by itself. However, this does underscore a growing problem for Facebook and other data-centric tech companies: user information is only as secure as the least secure part of the chain. And in some cases, those partners make basic mistakes like leaving data publicly accessible. You might not see improvements on this front until every company is just as diligent at locking down data, not just the original providers.