Facebook has stepped into another steaming data scandal.
The social media platform can’t seem to dislodge itself from the hot PR mess stemming from investigations into Cambridge Analytica and other third-party apps with access to users’ information.
The company has tried op-eds from leaders Mark Zuckerberg and Sheryl Sandberg, blog posts and social media messages, a couple of media apology tours and, most recently, a high-profile call for privacy and regulation.
Throw another log onto the PR conflagration.
New reports suggest that third-party apps with prior access to user data were not held to adequate security standards, and Facebook will face additional scrutiny over exposed data.
Flip that board that says “It’s been _ days since we found a massive pile of unsecured Facebook data” right back to zero, and get ready to reset your passwords again just to be safe. Security researchers discovered hundreds of millions of records on publicly-accessible Amazon cloud servers — including names, passwords, comments, likes, and all the other stuff we should all just assume has already leaked at some point.
Cybersecurity firm Upguard released its findings earlier today. There are two data sets, originating from different sources, both stored in Amazon S3 buckets — no password protection on either one, naturally. They’ve since been taken down.
In this case, it’s not Facebook itself holding the leaky bucket. The data originated from third-party sources, namely a media company called Cultura Colectiva and an app titled “At the Pool.” The former is the larger of the two — according to Upguard, it includes 540 million records on user likes, comments, IDs and more. The latter apparently includes 22,000 Facebook passwords and email addresses.
Facebook doesn’t have anything new to say about these latest reports.
The Next Web continues:
A Facebook spokesperson told TNW, “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
Why does that sound familiar? Oh yeah…
- “…we’re making real progress and we are committedto continuing to improve.” — Expanding Our Efforts to Protect Elections in 2019
- “A lot of this work is in the early stages, and we are committedto consulting with experts, advocates, industry partners, and governments — including law enforcement and regulators — around the world to get these decisions right.” — Mark Zuckerberg’s A Privacy-Focused Vision for Social Networking
- “But we are committed to getting it right so Facebook is a safe place for people and their friends.” — Working to Keep Facebook Safe
Facebook‘s major defense post-Cambridge Analytica was that it was limiting third-party apps’ access to this very kind of data. But “At the pool,” which was last used in 2014, apparently predates that measure. Upguard warned Facebook‘s previous privacy gaffes would continue to echo for all of us: “But as these exposures show, the data genie cannot be put back in the bottle.”
Facebook wasn’t the only company implicated; security researchers reported difficulty in getting host company Amazon to remove the compromised files.
After security researcher Chris Vickery discovered millions of records from Facebook Inc. users sitting unsecured on a public database, he tried for weeks to get Amazon.com Inc., owner of the servers where the data were stored, to take it down.
“We’re looking into the situation and assessing any extra steps we can take,” came the response from Amazon security staff on Feb. 21 — three weeks after Vickery initially brought the data exposure to Amazon’s attention.
The trove in question included 540 million pieces of information, such as identification numbers, comments, reactions and account names, that had been culled from Facebook pages and stored on Amazon servers by Mexico City-based digital platform Cultura Colectiva. The records were accessible and downloadable for anyone who could find them online, and they didn’t get taken down until April 3, after Facebook — alerted by Bloomberg News — contacted Amazon.
The incident also raises questions of about who is responsible for data security when the data is stored in the cloud by providers like Amazon or Microsoft.
AWS customers “own and fully control their data,” Amazon said in a statement. “When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here.”
Amazon has grown into the world’s biggest provider of on-demand data storage and computing power in part by pledging to big companies that their data will be as private in the cloud as it was sitting in a back-room server.
“They just don’t want to start a precedent of them meddling with the data,” Vickery said, back when he was having trouble getting Amazon to take it down. “If they start shutting down access to data breaches, they start getting into liability a bit more. They’re in a sticky situation.”
More important, the incident undermines Facebook’s new message to consumers that privacy and security are the new focus of the tech behemoth, which built its digital empire on advertising.
“We are committed to working with the developers on our platform to protect people’s data,” Facebook said.
But the fact that such a vast, full cache of sensitive personal information could have been accessed by anyone online raises fresh questions about Facebook’s efforts to protect its users’ privacy. The report from UpGuard comes almost a year after revelations that Cambridge Analytica, a political consultancy, improperly accessed the personal data of 87 million Facebook users with the aid of a quiz app.
The exposure of Facebook’s data also illustrated a hard reality: Once accessed or obtained, personal data can live forever.
“All of the data passed from Facebook to literally millions of developers needs to be managed,” said Greg Pollock, a vice president at UpGuard. “I don’t know that Facebook can clean up the mess they’ve made. It’s an oil spill – that data is out there.”
The first set of records appear to belong to a Mexican media company, Cultura Colectiva, which improperly stored data about people’s friends, likes, photos, music, location check-ins and groups on a public Amazon server. Pollock said that UpGuard in January tried to notify the organization that its cache of Facebook information had been left open for anyone to download but ultimately received no reply.
On social media, some bemoaned the lag in taking down the compromised data:
— Fercan Yalinkilic (@FercanY) April 4, 2019
Also: Why did Amazon take so long to remove the offending database, even after they were warned by researchers and by us? Nothing happened until I told Facebook, which contacted Amazon again: https://t.co/pBZxMH3GOd
— Sarah Frier (@sarahfrier) April 4, 2019
Both Amazon and Facebook have refrained from addressing this new report directly, instead pointing to overarching policy and efforts to educate the public about data security.
“Facebook’s policies prohibit storing Facebook information in a public database,” the company said.
Facebook has been hit by a number of privacy-related issues, including a glitch that exposed passwords of millions of users stored in readable format within its internal systems to its employees.
Last year, the company came under fire following revelations that Cambridge Analytica obtained personal data of millions of people’s Facebook profiles without their consent.
Facebook later announced changes aimed at protecting user data, including an audit of at least thousands of apps that have the right to access Facebook user data.
Amazon did not respond to requests for comment. It has increased efforts to educate customers about the risks associated with storing user data publicly after several such data privacy lapses by its customers made headlines in recent years.
What do you think of the companies’ responses, PR Daily readers?