The UpGuard Cyber Risk team have found that two more third-party developed Facebook app datasets are exposed to the public internet. One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more. This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data.
The second exposed AWS bucket was associated with a defunct application called “At the Pool.” This database also stored information on Facebook customers and their interests, but it also included names, email addresses and plaintext passwords for 22,000 users. While the passwords were likely associated with At the Pool accounts, they could have also exposed Facebook and other accounts to takeover attempts due to password reuse.
The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers.
Read the full report from Upguard here.