More than 540 million records of Facebook users were exposed by publicly accessible Amazon S3 buckets used by two third-party apps to store user data such as plain text app passwords, account names, user IDs, interests, relationship status, and more.
As discovered by the UpGuard Cyber Risk team, Mexico-based media company Cultura Colectiva stored the records of roughly 540 million of its users within a 146 GB database called “cc-datalake,” stored in a misconfigured Amazon S3 bucket which gave anyone download permissions.
This huge collection of Facebook records contained “comments, likes, reactions, account names, FB IDs and more,” allowing Cultura Colectiva to “to tune an algorithm for predicting which future content will generate the most traffic.”
Another database pertaining to the now-defunct third-party Facebook-integrated “At the Pool” app (an archived version of the website HERE) with only 22,000 was also found by UpGuard in a downloadable S3 bucket but, unfortunately, this one also contained app user passwords in plain text.
“The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts,” says Upguard.
While this database did not leak the huge amount of data contained in the exposed Cultura Colectiva database, the fact that it belongs to a company which ceased its operations five years ago in 2014 makes on think of how many other similar AWS instances are left out there ready to be downloaded and used in credential stuffing or similar types of malicious attacks.