Since the Cambridge Analytica data leak scandal broke news in 2017, Facebook has been under severe scrutiny to improve its user-privacy security. Now, the social media company is back again in the news for the wrong reasons and it seems like it hasn't learnt any lesson so far.
Online security researchers of UpGuard have come across two instances of Facebook's failure to plug the user-data leak online. Both are said to be the fault of the company's third-party app developer partners carelessly handling data backup of close to 146GB containing more than 540 million Facebook users' data, which include person-identifiable attributes such as Facebook ID, account names, likes, comments, reactions, relationship and more.
One of the alleged app—'At the Pool' has exposed the user details openly on the internet through its Amazon S3 bucket configured to allow public download of files. Besides the aforementioned data, it was also found to have leaked passwords, friends' list, groups, books, movies, check-in, interests and more, which is scarier considering the fact the data can be used to spy on the user with location details.
Another Facebook app partner, Cultura Colectiva has blatantly exposed dataset such as passwords of more than 22,000 in a plaintext. In both instances, the critical information was accessible to anybody via Amazon S3 cloud server.
Though 'At the Pool' is defunct since 2014, nobody knows for long it was exposed. However, Cultura Colectiva is reckless, as it has not fixed the security hole nor responded to this date. UpGuard apparently notified Cultura Colectiva on January 10 and again on January 14. But to no avail.
Considering the severity of the situation, Amazon Web Services (AWS) were told about the leakage on January 28. Though UpGuard received a swift reply of promising to fix the issue, it was not attended.
Again on February 21, UpGuard sent an email to the AWS and got the same reply, but never fixed the issue until this week, after the incident was brought to the attention of Facebook again on April 3.
As of now, the faulty Amazon S3 server has been fixed and there is no danger of user-data of Facebook being accessed by cybercriminals. But, we can't forgive Facebook for its repeated failure to protect the privacy of the user for long.
For every misstep, the Facebook PR team comes with lame excuses and is not showing any tangible efforts in terms of scaling up of security to protect user-data. It is earning billions of dollars from targeted ads with user-data and it's a shame that Facebook is not concerned a bit about the patrons. It's like biting the hand that feeds.
Keep an eye on this space, as we are awaiting a formal response from Facebook spokesperson about this data leak incident.