Facebook app developers left hundreds of millions of user records exposed on publicly visible cloud servers, researchers from security firm UpGuard said today.

The researchers said the larger of the two data sets came from a Mexican media company called Cultura Colectiva. A 146GB data set with information like Facebook user activity, account names, and IDs was found that included more than 540 million records, the researchers said. A similar data set was also found for an app called “At the Pool.” While smaller, the latter included especially personal information, including 22,000 passwords apparently used for the app, rather than directly for Facebook.

540 million records

It’s not clear how long the data was publicly available, or who may have obtained it from the servers, if anyone. Both data sets were found on Amazon cloud servers, and the data was removed after Facebook was contacted, the researchers said.

“Facebook’s policies prohibit storing Facebook information in a public database,” a spokesperson for the company said in a statement. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

Facebook has faced intense criticism over how it’s shared user data with third parties. Most famously, the political data firm Cambridge Analytica harvested information on users through a seemingly innocuous quiz app. Facebook has since cut down on the number of apps with access to user data.

In this case, the data appears to have been made available by mistake, but the problem still raises questions about where user information has traveled since it was collected by Facebook apps.

“Data about Facebook users has been spread far beyond the bounds of what Facebook can control today,” the UpGuard researchers, who have highlighted several leaks on Amazon servers in the past, wrote in a blog post announcing the findings. “Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

Correction, 4:25PM ET: This article previously misstated the type of passwords found in the At the Pool data. They are believed to be for the app, not for Facebook itself.