This content is not available in your region

Researchers find data for millions of Facebook users exposed on the internet

Facebook CEO Mark Zuckerberg speaks at Facebook Inc's annual F8 developers
Facebook CEO Mark Zuckerberg speaks at Facebook Inc's annual F8 developers conference in San Jose, California, on May 1, 2018.   -   Copyright  Stephen Lam Reuters file
By David Ingram with NBC News Tech and Science News
Text size Aa Aa

A cybersecurity firm said on Wednesday that it found millions of records openly exposed on the internet containing people's personal data from Facebook, including Facebook passwords for 22,000 people.

UpGuard said in a report on its website that app developers had collected the data by building off the Facebook platform, a method similar to the one used years ago by app developers in the Cambridge Analytica scandal to build detailed datasets about millions of Facebook users.

The latest leaked datasets, including people's likes and interests, was publicly accessible on Amazon-owned servers until after UpGuard found the files and began investigating during the past few months, the company said.

UpGuard said the examples showed how easily app developers have been able to gather information on Facebook users, and how difficult it is for anyone to contain that data once it's been collected.

"The data genie cannot be put back in the bottle," UpGuard said in its report. "Data about Facebook users has been spread far beyond the bounds of what Facebook can control today. Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak."

Facebook has cracked down on the access to data that third-party app developers previously had. In 2015, the company restricted access to data about users' friends, and Facebook imposed new restrictions last year, after users, lawmakers and privacy advocates raised an outcry over the data held by Cambridge Analytica.

Facebook said in a statement on Wednesday that its policies prohibit storing Facebook information in a public database.

"Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data," the company said.

UpGuard said it found two instances of Facebook data exposed online. One dataset belonged to Mexico-based media company Cultura Colectiva and contained more than 540 million records detailing information such as Facebook comments, likes and reactions.

Cultura Colectiva did not immediately respond to a request for comment.

The second dataset related to an app called "At the Pool." It was smaller but contained Facebook unencrypted passwords for 22,000 users, as well as email addresses and other information, UpGuard said. The app ceased operation in 2014, according to the report.

Last month, Facebook said it had found a separate example of passwords stored unsecurely. The company said an internal security review discovered the passwords of hundreds of millions of users had been stored on company servers without encryption, though no passwords were leaked and the company found no indication the data was improperly accessed.