UPDATED 21:57 EDT / APRIL 03 2019

SECURITY

540M+ Facebook account details found exposed on misconfigured AWS instances

Data relating to more than 540 million Facebook users has been discovered publicly available on misconfigured Amazon Web Services Inc. instances.

Discovered by security researchers at UpGuard Inc. and revealed Wednesday, the main data exposure came via a Mexico-based media company Cultura Colectiva and included Facebook user names, comments, likes, reactions, account names and more.

The second data exposure came via a Facebook app called At the Pool. Although that exposed the details of only 22,000 Facebook users, the exposed data also included plain-text passwords.

In both cases, the Facebook user data was stored on Amazon S3 instances that were publicly available.

Both databases are no longer publicly exposed, though the UpGuard researchers noted that they contacted Cultura Colectiva and AWS about the exposed data in January but it remained online until the story broke today.

Renaud Deraison, co-founder and chief executive officer of Tenable Inc., didn’t hold back, telling SiliconANGLE that it “seems like every other week” a security issue is discovered in the Facebook ecosystem.

“Facebook is giving third-party app developers access to user data,” Deraison said. “That means the company’s massive trove of data is in the hands of potentially thousands of third parties all over the world. App developers are focused mainly on bringing new offerings to market quickly — it’s what consumers have come to expect. It looks like Facebook hasn’t enforced guidelines when it comes to how its partners handle cybersecurity.”

Stephen Cox, vice president and chief security architect of SecureAuth Corp., noted that the problem is endemic because too many organizations are using “poor hygiene” when storing passwords and other sensitive information.

“Unfortunately in this case, because user account names were also exposed, some of the affected users are likely to be compromised due to password reuse,” Cox said. “When people reuse passwords across multiple websites, these sort of leaks can have far-reaching consequences. The password is simply no longer enough to provide a sufficient level of security in today’s threat landscape.”

Tim Erlin, vice president, product management and strategy at Tripwire Inc., noted that this isn’t the first time that sensitive data has been exposed on unprotected cloud storage.

“Organizations can’t transfer responsibility for securing sensitive data by moving it to the cloud,” Erlin said. “When it’s technically feasible to continuously monitor Amazon storage settings for exactly this scenario, there’s no excuse for not protecting your customer data from this type of breach.”

Photo: Minette Lontsie/Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU