Personal Facebook data was made publicly available on the internet, company admits

Sign up to our free weekly IndyTech newsletter delivered straight to your inbox

Sign up to our free IndyTech newsletter

Please enter a valid email address

Please enter a valid email address

SIGN UP

I would like to be emailed about offers, events and updates from The Independent. Read our privacy notice

Personal Facebook data was uploaded to be publicly accessible on the internet, the company has admitted.

Hundreds of millions of records which included people’s activity on the site had been stored on the internet in a way that allowed anyone to access them, cybersecurity firm UpGuard found.

In all, more than 540 million of the records, including account names, comments and likes, were publicly available on Amazon’s cloud servers after they were uploaded by two third-party apps.

It is just the latest time that Facebook has been accused of failing to protect the privacy of the billions of people who use its site to store their private data.

Facebook said it had taken down the databases once it was made aware of them.

“Facebook’s policies prohibit storing Facebook information in a public database,” a company spokesperson said in a statement.

“Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

The company confirmed it was continuing to investigate the incident.

The databases were from a Mexico-based media company called Cultura Colectiva and an app called At The Pool, the security researchers said.

The incident is the latest in a growing catalogue of data issues for the company, following widespread incidents of misinformation being spread on the network, breaches of user data and allegations of political manipulation.

In October last year, Facebook also revealed millions of email addresses, phone numbers and other pieces of personal user information were compromised during a security breach, affecting as many as 50 million accounts.

Last month, the company also admitted that millions of Facebook, Facebook Lite and some Instagram users had their passwords stored in plain text, leaving the accounts in question at risk.

Cybersecurity expert Ilia Kolochenko, chief executive of online security firm High-Tech Bridge, said Facebook’s problem was the amount of data it reportedly shared with third parties meant it was losing the ability to stop such leaks.

“The reported leak is actually not that dramatic: the 540-million-record database contains mostly publicly accessible data, while the second database with passwords in plain text contains just 22,000 records – a drop in the ocean of leaked credentials in 2018,” he said.

“The real problem is that most of the data – reportedly shared by Facebook with its partners – still remains somewhere, with numerous uncontrolled backups and unauthorised copies, some of which are being sold on the black market already.

“It is impossible to control this data, and users’ privacy is at huge risk. Even if they change their passwords, other data such as private messages, for example, or search history – will remain affixed somewhere and often in hands of unscrupulous third parties.”

Additional reporting by agencies