Researchers at the cybersecurity firm UpGuard on Wednesday said they had discovered the existence of two datasets together containing the personal data of hundreds of millions of Facebook users. Both were left publicly accessible.
In a blog post, UpGuard connected one of the leaky databases to a Mexico-based media company called Cultura Colectiva. The data set reportedly contains over 146 GB of data, which amounts to over 540 million Facebook user records, including comments, likes, reactions, account names, Facebook user IDs, and more.
Both datasets were stored in unsecured Amazon S3 buckets and could be accessed by virtually anyone. Neither was password protected. The buckets have since been secured or taken offline.
“The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each,” UpGuard said. “What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers.”
Added Upguard: “As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”
Facebook did not immediately respond to Gizmodo’s request for comment.
Update, 3:40pm: Added text clarifying that the 22,000 passwords discovered by UpGuard belong to Facebook users, but may not grant access to actual Facebook accounts. UpGuard reported that, “presumably,” the passwords would grant access to the now-defunct app, though the researchers warned it “put users at risk who have reused the same password across accounts.”