Data relating to more than 540 million Facebook users has been discovered publicly available on misconfigured Amazon Web Services Inc. instances.

Discovered by security researchers at UpGuard Inc. and revealed Wednesday, the main data exposure came via a Mexico-based media company Cultura Colectiva and included Facebook user names, comments, likes, reactions, account names and more.

The second data exposure came via a Facebook app called At the Pool. Although that exposed the details of only 22,000 Facebook users, the exposed data also included plain-text passwords.

In both cases, the Facebook user data was stored on Amazon S3 instances that were publicly available.

Both databases are no longer publicly exposed, though the UpGuard researchers noted that they contacted Cultura Colectiva and AWS about the exposed data in January but it remained online until the story broke today.

Renaud Deraison, co-founder and chief executive officer of Tenable Inc., didn’t hold back, telling SiliconANGLE that it “seems like every other week” a security issue is discovered in the Facebook ecosystem.

“Facebook is giving third-party app developers access to user data,” Deraison said. “That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world. App developers are focused mainly on bringing new offerings to market quickly — it’s what consumers have come to expect. It looks like Facebook hasn’t enforced guidelines when it comes to how its partners handle cybersecurity.”

Stephen Cox, vice president and chief security architect of SecureAuth Corp., noted that the problem is endemic because too many organizations are using “poor hygiene” when storing passwords and other sensitive information.

“Unfortunately in this case, because user account names were also exposed, some of the affected users are likely to be compromised due to password reuse,” Cox said. “When people reuse passwords across multiple websites, these sort of leaks can have far-reaching consequences. The password is simply no longer enough to provide a sufficient level of security in today’s threat landscape.”

Tim Erlin, vice president, product management and strategy at Tripwire Inc., noted that this isn’t the first time that sensitive data has been exposed on unprotected cloud storage.

“Organizations can’t transfer responsibility for securing sensitive data by moving it to the cloud,” Erlin said. “When it’s technically feasible to continuously monitor Amazon storage settings for exactly this scenario, there’s no excuse for not protecting your customer data from this type of breach.”

Photo: Minette Lontsie/Wikimedia Commons