Report: Millions of Facebook user records, including plain text passwords, left exposed online

Another day, another Facebook privacy scandal.

Hundreds of millions of Facebook user records — including some plain text passwords — were found exposed online free and open for the taking. So reports UpGuard, a cybersecurity risk assessment company, which notes in an April 3 press release that the two data sets in question were configured for public download. Yes, that means that anyone who knew where to look could have pulled them.

At the heart of the matter are two third-party app datasets stored on Amazon S3 buckets containing reams of Facebook users' info. One such set, from Cultura Colectiva, reportedly had "540 million records detailing comments, likes, reactions, account names, FB IDs and more."

According to UpGuard, the second dataset, from a third-party Facebook app titled At the Pool, "contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more."

In other words, presumably a list of users' friends, likes, groups, and check-in locations — an incredibly revealing amount of data.

While stating that the passwords in the latter data set were "presumably for the 'At the Pool' app rather than for the user’s Facebook account," the UpGuard press release goes on to add that it still "contains plaintext (i.e. unprotected) Facebook passwords for 22,000 users."

You don't reuse passwords across sites, do you?

Notably, this data is no longer in Facebook's control. By allowing third-party apps to scrape Facebook users' information (remember Cambridge Analytica?) the company essentially loses control of it. UpGuard said it notified Cultura Colectiva about the exposed data, starting with an email on Jan. 10 of this year, but has received no response from the company.

UpGuard writes that it was only when Bloomberg reached out to Facebook on April 3 that the data was finally secured. The At The Pool data set, on the other hand, was miraculously pulled offline shortly after UpGuard discovered it. What nice timing.

We reached out to Facebook to determine if At The Pool did in fact have access to, and then expose, the Facebook passwords of 22,000 users. We also asked the company how it intends to prevent this kind of third-party app privacy failure in the future.

A Facebook spokesperson provided the following statement in response:

Facebook's policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data.

In other words, yeah, it's as bad as it sounds.