Researchers at the cybersecurity firm UpGuard have discovered two troves of unprotected Facebook user data sitting on Amazon’s servers, exposing hundreds of millions of records about users, including their names, passwords, comments, interests, and likes. The data sets had been uploaded to Amazon’s cloud system by two different Facebook app developers.

This is just the latest evidence that when Facebook shares data with third parties, it really has no control over where that data ends up or how securely it’s stored. That became abundantly clear last year with the Cambridge Analytica scandal, when one University of Cambridge academic was able to collect tens of millions of Facebook users’ data without their knowledge, using a personality profiling quiz app. After that story made headlines, Facebook vowed to crack down on data access and to audit app developers that have ever had access to mass quantities of data. But UpGuard’s findings illustrate the limits of Facebook’s control over information it’s already given away. As the researchers put it in a blog post, “the data genie cannot be put back in the bottle.”

According to UpGuard, one of the exposed databases belonged to a Mexican company called Cultura Colectiva, which used Amazon cloud services to store some 146 gigabytes of data, including 540 million different records. UpGuard alerted the company of the exposure in early January but received no response. By the end of January, the researchers alerted Amazon, which, in turn, alerted Cultura Colectiva again. But the database wasn’t secured until Wednesday, UpGuard reports, after Bloomberg contacted Facebook about it.

Issie Lapowsky covers the intersection of tech, politics, and national affairs for WIRED.

“Facebook's policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases," a Facebook spokesperson said in a statement. "We are committed to working with the developers on our platform to protect people's data.”

The other database belonged to an app called At the Pool. While the At the Pool database was smaller, it also contained plaintext user passwords for 22,000 users. "The passwords are presumably for the 'At the Pool' app rather than for the user’s Facebook account," UpGuard writes, "but would put users at risk who have reused the same password across accounts." That database was taken down during UpGuard's reporting, and the researchers say it’s unclear how long people’s information was exposed. The app, At the Pool, appears to have shut down in 2014.

Facebook's spokesperson said the company is continuing to assess the extent of the information that was available and how people might have been impacted. Of course, this is precisely what Facebook promised to do after the Cambridge Analytica breach. Indeed, the company has suspended hundreds of apps from the platform, citing concerns over "how the information people chose to share with the app may have been used." But UpGuard's findings raise questions about whether Facebook is adequately investigating how that information is being stored by third parties. In the case of Cambridge Analytica, the researcher who collected the data knowingly sold it, which was a violation of Facebook's terms. But even a well-meaning app developer who naively fails to secure their data properly poses a serious a threat to users' privacy.

"The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform," the UpGuard researchers wrote.

Recently, Facebook CEO Mark Zuckerberg laid out a plan for a new type of privacy-focused social network, in which all messages are encrypted, and the content people share is increasingly ephemeral. "People clearly really want this because of what they're doing and what we're seeing people do in our products," he told WIRED. Going forward, he says, privacy will be core to the decisions that guide Facebook's future. But as this data exposure shows, he may have trouble escaping the decisions Facebook has made in its past.

Updated 4-3-2019, 3:46 pm EDT: This story has been updated to clarify that UpGuard presumes the plaintext passwords it discovered are associated with At the Pool accounts, not the users' Facebook accounts.

More Great WIRED Stories