Skip to content

Third-party Facebook app data left 20,000+ passwords unprotected

  • by
  • 3 min read

Two third-party Facebook app data sets have been found exposed on the internet by UpGuard’s Cyber Risk team. The first data set contained over 146GB of records and the second one exposed passwords of 22,000 Facebook users in plain text.

Facebook has been in the news for a lot of reasons since it was launched in 2004, but none of them has been good in the recent years — mostly because of the company’s negligence where the privacy and security of its users is concerned.

The first database found exposed on public internet originated from Cultura Colectiva, a Mexico-based media company. The exposed files contain over 540 million records, which include likes, reactions, comments, account names, FB IDs and some more information.

Even though such big data sets are considered to be harmless, it has been seen in the past that they can be a cause of concern.

The second database titled ‘At the Pool’, a Facebook-integrated app, contained the following records: Facebook user ID, username, friends, likes, music, movies, books, photos, events, groups, check-ins, interests, passwords and more.

“The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts,” the research points out.

The 22,000 passwords found in this data set were saved in plaintext, which means they were not encrypted and therefore unprotected.

The security researchers reached out to Cultura Colectiva twice in January 2019, but the company didn’t respond.

Facebook removed 8.7 million posts in its fight against child exploitationAlthough ‘At the Pool’ has been defunct since 2014, since the data was stored in Amazon Web Services (AWS), the research team approached them in January 2019, but the data on Amazon’s Cloud server wasn’t secured until April 3, 2019, after Bloomberg contacted Facebook for a comment on its story.

Some might argue that this time around, the social media giant cannot be held accountable directly — as according to the company, in the case of third-party apps the responsibility of security of user data lies with the app developers. But Facebook controls the ecosystem and can make stricter rules for developers building apps connected with their platform so that such incidents don’t repeat themselves in the future

“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third-party access. But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”

Also read: How Encryption works: Private Key vs Public Key



Writes news mostly and edits almost everything at Candid.Technology. He loves taking trips on his bikes or chugging beers as Manchester United battle rivals. Contact Prayank via email: