[BreachExchange] 540 Mllion Facebook Records Leaked by Public Amazon S3 Buckets

Destry Winant destry at riskbasedsecurity.com
Thu Apr 4 03:11:50 EDT 2019


https://www.bleepingcomputer.com/news/security/540-mllion-facebook-records-leaked-by-public-amazon-s3-buckets/

More than 540 million records of Facebook users were exposed by
publicly accessible Amazon S3 buckets used by two third-party apps to
store user data such as plain text app passwords, account names, user
IDs, interests, relationship status, and more.

As discovered by the UpGuard Cyber Risk team, Mexico-based media
company Cultura Colectiva stored the records of roughly 540 million of
its users within a 146 GB database called "cc-datalake," stored in a
misconfigured Amazon S3 bucket which gave anyone download permissions.

This huge collection of Facebook records contained "comments, likes,
reactions, account names, FB IDs and more," allowing Cultura Colectiva
to "to tune an algorithm for predicting which future content will
generate the most traffic."

Another database pertaining to the now-defunct third-party
Facebook-integrated "At the Pool" app (an archived version of the
website HERE) with only 22,000 was also found by UpGuard in a
downloadable S3 bucket but, unfortunately, this one also contained app
user passwords in plain text.

"The passwords are presumably for the “At the Pool” app rather than
for the user’s Facebook account, but would put users at risk who have
reused the same password across accounts," says Upguard.

In addition, At the Pool's leaked database came with "fk_user_id,
fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books,
fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, and more"
user data points.

While this database did not leak the huge amount of data contained in
the exposed Cultura Colectiva database, the fact that it belongs to a
company which ceased its operations five years ago in 2014 makes on
think of how many other similar AWS instances are left out there ready
to be downloaded and used in credential stuffing or similar types of
malicious attacks.

There are other similarities when taking into account the two Facebook
user data sets leaked by misconfigured Amazon S3 buckets beside the
number of users who got their sensitive personal info exposed, like
the fact that they are both describing the users' "interests,
relationships, and interactions, that were available to third-party
developers."

While Facebook is now trying to cover their angles saying that user
privacy is one of their main goals, user data collected by third-party
apps is already out there, stored in the cloud within databases that
might or might not be protected adequately.

Upguard says that they contacted Cultura Colectiva to let them know
they're leaking their users' data on both January 10 and January 14
but they ddi not receive an answer. However, after getting in touch
with Amazon Web Services on January 28, they were informed that the
company was in the end made aware of the data leak on February 1.

After another exchange and an intervention from Bloomberg who asked
for comment on the issue, the cc-datalake database was eventually
secured on April 3.

The At the Pool database, in turn, was removed during UpGuard's
investigation to confirm its owner and, at the moment, the user data
which it got leaked is no longer available for anyone to access.

Not the first time it happens

While Facebook is not behind the two leaked databases, the company
certainly went through a rough year or so, seeing that it disclosed a
security vulnerability which impacted around 50 million people in
September 2018, a security flaw that potentially enabled malicious
actors to access sensitive info of all affected users.

During December, a bug in the platform's Photo API may have also
allowed attackers to gain unauthorized access to protected photos of
roughly 6.8 million Facebook users.

Also, in November, an underground forum seller going by the name
"FBSaler" auctioned the information of 120 million Facebook users as
well as the private messages of another 81,000 profiles for 10 cents
each.


More information about the BreachExchange mailing list