More than 540 million records of Facebook users were exposed by publicly accessible Amazon S3 buckets used by two third-party apps to store user data such as plain text app passwords, account names, user IDs, interests, relationship status, and more.

As discovered by the UpGuard Cyber Risk team, Mexico-based media company Cultura Colectiva stored the records of roughly 540 million of its users within a 146 GB database called "cc-datalake," stored in a misconfigured Amazon S3 bucket which gave anyone download permissions.

This huge collection of Facebook records contained "comments, likes, reactions, account names, FB IDs and more," allowing Cultura Colectiva to "to tune an algorithm for predicting which future content will generate the most traffic."

Another database pertaining to the now-defunct third-party Facebook-integrated "At the Pool" app (an archived version of the website HERE) with only 22,000 was also found by UpGuard in a downloadable S3 bucket but, unfortunately, this one also contained app user passwords in plain text.

"The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts," says Upguard.

In addition, At the Pool's leaked database came with "fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, and more" user data points.

While this database did not leak the huge amount of data contained in the exposed Cultura Colectiva database, the fact that it belongs to a company which ceased its operations five years ago in 2014 makes on think of how many other similar AWS instances are left out there ready to be downloaded and used in credential stuffing or similar types of malicious attacks.

At the Pool dataset redacted sample

There are other similarities when taking into account the two Facebook user data sets leaked by misconfigured Amazon S3 buckets beside the number of users who got their sensitive personal info exposed, like the fact that they are both describing the users' "interests, relationships, and interactions, that were available to third-party developers."

While Facebook is now trying to cover their angles saying that user privacy is one of their main goals, user data collected by third-party apps is already out there, stored in the cloud within databases that might or might not be protected adequately.

Upguard says that they contacted Cultura Colectiva to let them know they're leaking their users' data on both January 10 and January 14 but they ddi not receive an answer. However, after getting in touch with Amazon Web Services on January 28, they were informed that the company was in the end made aware of the data leak on February 1.

After another exchange and an intervention from Bloomberg who asked for comment on the issue, the cc-datalake database was eventually secured on April 3.

The At the Pool database, in turn, was removed during UpGuard's investigation to confirm its owner and, at the moment, the user data which it got leaked is no longer available for anyone to access.

Not the first time it happens

While Facebook is not behind the two leaked databases, the company certainly went through a rough year or so, seeing that it disclosed a security vulnerability which impacted around 50 million people in September 2018, a security flaw that potentially enabled malicious actors to access sensitive info of all affected users.

During December, a bug in the platform's Photo API may have also allowed attackers to gain unauthorized access to protected photos of roughly 6.8 million Facebook users.

Also, in November, an underground forum seller going by the name "FBSaler" auctioned the information of 120 million Facebook users as well as the private messages of another 81,000 profiles for 10 cents each.