back to article It's time to reset the 'Days without a Facebook data loss' sign after 500 million records left exposed on AWS

The details of millions of Facebook accounts have been left ripe for harvesting thanks to a pair of careless developers. Professional Shodan jockey Chris Vickery of Upguard spotted a pair of exposed AWS S3 buckets that appear to belong to the coders behind Cultura Colectiva and At the Pool, a pair of third-party apps for …

  1. Doctor Syntax Silver badge

    "The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control."

    If FB makes it possible to abstract data in this way they need to accept responsibility. If they don't want the responsibility the corollary is obvious.

    1. big_D Silver badge

      Under GDPR, they wouldn't be able to share the data with third parties, unless they have the written permission of the user... Clicking "I accept" isn't considered written permission.

      1. Anonymous Coward
        Anonymous Coward

        I think it is, provided they state in the associated Terms that they are going to do that and the tickbox should be disabled by default. The problem is that FB doesn't allow access unless you tick that box, which one could debate as being illegal to start with.

        I have a bigger question, though: why on Earth does someone need that big a dataset? And what due diligence does FB do on third parties handling that amount of data to assure themselves they're only as leaky as Facebook (not a high bar IMHO, but they didn't clear that one either)?

        FB is, of course, going to blame the third party, but they carry serious culpability in allowing a company access without checking things first. Certainly at those sorts of volumes I'd consider that mandatory.

        Zuck can talk all he wants, but I think he'll be on the hook for this one.

        Not that he cares, of course.

        1. Olivier2553 Silver badge

          The problem is that FB doesn't allow access unless you tick that box, which one could debate as being illegal to start with.

          My understanding is that you need on "I accept" box for each and every third party FB will share your data with, else sharing will be illegal under GDPR.

          But that FB decide to not accept registration from people not willing to share their data could be legal.

          1. big_D Silver badge

            GDPR says you cannot refuse people access to the service if they don't agree to share their personal information.

            1. imanidiot Silver badge

              Unless that personal information is required for the performance of the service.

              Important little caveat there, as processing PII is pretty much what Facebook is/does.

              1. big_D Silver badge

                But in this case, they couldn't refuse access, just because you refuse to let them share your information with third parties, that is not essential to the primary use of Facebook - they might want to share that information, but the main part of the service will still work without it.

            2. Olivier2553 Silver badge

              Thanks for the clarification.

        2. imanidiot Silver badge

          At the very least, under the loosest possible interpretation of GDPR they need a SPECIFIC checkbox for " I accept and agree Facebook may share my PII with third parties", which can not be mandatory AND they need to have specific agreements with third parties on how those third parties are supposed to store the data, what they are allowed to do with it, when they have to delete it and who gets access to the data. (The third party has to be GDPR compliant to begin with for it to be legal for Facebook to share data with them)

      2. Mike 137 Bronze badge

        Not necessarily

        They only need a consent for sharing if they have declared that consent is the lawful basis they rely on for that sharing. It's perfectly possible to rely on, for example, legitimate interest. But if they do they must carry out a formal documented assessment of the balance of rights and risks between themselves and the data subject, and they should publicly declare every instance of sharing. It's not sufficient to just state, for example, "we may share with app developers". They must also in principle have validated the security and privacy management of every sharing partner.

        Is there any documentary evidence that nay of this has been done? if not they could be in breach of the regulation.

      3. DontFeedTheTrolls Silver badge
        Headmaster

        Given this is US and Mexico based companies and users, GDPR doesn't directly apply.

        1. A.P. Veening Silver badge

          GDPR

          Given this is US and Mexico based companies and users, GDPR doesn't directly apply.

          It does if there is information about even one EU or EEA citizen or resident in that cache. Given the numbers involved, I'd say it is a certainty GDPR applies unless Facebook can show a very careful selection, in which case it probably is worthless for its intended purposes as it isn't representative.

      4. macjules Silver badge

        Under GDPR I do not think they would be permitted to share the data, for development purposes, at all. I certainly can not see a need for 500m records to be a part of the development process.

  2. Wellyboot Silver badge
    Facepalm

    540 million

    >>>540 million records from Facebook users, mostly in Mexico and Latin America<<<

    So is that the entire population between Rio Grande and Cape Horn?

    1. doublelayer Silver badge

      Re: 540 million

      The populations of all the Spanish-speaking countries from Mexico south* is about 402.4m. Admittedly, this is without considering that the United States and to a lesser extent Brazil has a large population who speak Spanish and that some of Spain's 47.4M people may also view this content. However, I'm reasonably confident that "records" doesn't necessarily mean "users", I.E. there may be more than one record per user. Perhaps they had different records for different types of activities or different publications.

      *All countries with Spanish as an official language were counted if located in North, Central, or South America. The only exception was Cuba, which was not counted as internet access is restricted there. Puerto Rico was counted as a separate entity from the United States, which was not counted.

      1. MachDiamond Silver badge

        Re: 540 million

        Lots of people have multiple accounts and you also have to add in business accounts too. That's just legitimate users. The count really blooms when you factor in the click and upvote bot accounts and the auto-review accounts that exist to allow entities to purchase positive reviews and likes for their Amazon stores. I'm sure there are also mechanics for down-voting and negatively reviewing competitors.

  3. aregross

    I see more regulation coming, a *lot* more! The problem is.... when?

    1. Phil Kingston Silver badge

      And "where". I imagine they'll just shift operations to somewhere that suits them better.

      1. A.P. Veening Silver badge

        And "where". I imagine they'll just shift operations to somewhere that suits them better.

        That won't help, GDPR doesn't care about location, just about data over/from EU and EEA citizens and residents and its protection. And the equivalent Californian legislation isn't concerned about location of the data either.

        1. MachDiamond Silver badge

          "That won't help, GDPR doesn't care about location, just about data over/from EU and EEA citizens and residents and its protection. And the equivalent Californian legislation isn't concerned about location of the data either."

          An argument against will be that the users identified as residing in countries outside the EU. Logging in from an IP address in the EU shouldn't mean that GDPR applies. I log into my email and web site back end when traveling. It doesn't make me an EU citizen or resident.

    2. John Brown (no body) Silver badge

      Well, The Zuck himself as asked for more regulation. The caveat being that he asked for more global regulation so he's obviously expecting some government level international talking shop which he knows will never ever come to any form of consensus and therefore no regulations. But he can truthfully say he asked for it and therefore was being open and helpful. I think he's terrified of GDPR and the rumblings in other countries, including the US, to emulate it.

      1. A.P. Veening Silver badge

        He is right to be terrified of GDPR as Facebook is in serious breach. And GDPR has global reach, as long as data about even one single EU or EEA citizen or resident is involved.

  4. Mark 85 Silver badge

    What will FB do now?

    The barn door was left open. Little late to lock it unless the wolves were visiting someone else's barn. Probably they'll offer the usual "we take our users products privacy very seriously" statement.

  5. Dan 55 Silver badge
    Mushroom

    Facebook wouldn't know privacy if it got slapped round the face with a GDPR

    Have we had the one about Facebook verifying your email by asking for your email password so it can fish through your inbox to find it (and whatever else they feel like)?

    No? Well here it is.

    I wonder if they're stored in plaintext too?

    1. revenant Silver badge
      Thumb Down

      Re: Facebook wouldn't know privacy if it got slapped round the face with a GDPR

      The wording on the request for e-mail details suggests to me that the intent was then to use the e-mail account to send facebook a verification email. Quite a neat technical solution, if so, but definitely scummy and not on at all.

      In particular I noted in one of the articles that covered this, that the researchers noticed a brief message that facebook was downloading contacts. That would explain why they were keen to try out this approach.

      1. Olivier2553 Silver badge

        Re: Facebook wouldn't know privacy if it got slapped round the face with a GDPR

        The wording on the request for e-mail details suggests to me that the intent was then to use the e-mail account to send facebook a verification email.

        I don't see why they would need to do that. The normal way of sending you a mail with a token and asking you to follow a link to verify fits the role well.

        If they really needs you to send them an email from your mailbox, they could send one to you and ask you to reply to them.

        Asking your password means only one thing: they have evil intents. In fact, no one with honest intents will ever ask you for your password. Ever. No where. Never. It could be your ISP hotline, it could be... Never. Ever.

        Well, that is except US border cops, but's that's another topic.

        1. revenant Silver badge

          Re: Facebook wouldn't know privacy if it got slapped round the face with a GDPR

          If they really needs you to send them an email from your mailbox, they could send one to you and ask you to reply to them.

          Indeed. Perhaps this is a reflection of their desire to make the user experience as trouble-free as possible by taking the load off.

          No, on reflection I'll go with your observation that they have evil intents. It is a sensible default assumption as far as dealings with Facebook are concerned.

          1. A.P. Veening Silver badge

            Re: Facebook wouldn't know privacy if it got slapped round the face with a GDPR

            No, on reflection I'll go with your observation that they have evil intents. It is a sensible default assumption as far as dealings with Facebook are concerned.

            I am sorry, but I have to disagree with you. In other cases it would be a sensible default assumption. In the case of Facebook, it is already a proven fact.

        2. A.P. Veening Silver badge

          Re: Facebook wouldn't know privacy if it got slapped round the face with a GDPR

          Asking your password means only one thing: they have evil intents. In fact, no one with honest intents will ever ask you for your password. Ever. No where. Never. It could be your ISP hotline, it could be... Never. Ever.

          Well, that is except US border cops, but's that's another topic.

          US border cops aren't excepted, that is the brotherhood of truly evil persons whose parents weren't introduced to each other.

        3. Kiwi Silver badge
          Boffin

          Re: Facebook wouldn't know privacy if it got slapped round the face with a GDPR

          In fact, no one with honest intents will ever ask you for your password. Ever. No where. Never.

          I did . Often. With honest intents, because that was the only way to do what the customer was contracting me for.

          It was in cases where they were having issues with email and had come to me to sort them out, and the sorting out required I have the password. I could also have, in many cases, retrieved it from their email software, but I did not wish to resort to such tactics without permission.

          And I always asked the user to reset their password afterwards, making it clear we did not wish to have any knowledge of it or access to their emails.

          So yes, in rare cases people will legitimately ask you for your password for your email. But while not non-existent, said instances are quite rare.

          (In FB's case however, no matter what they're asking, it's with evil intent... :) )

    2. Anonymous Coward
      Anonymous Coward

      Re: Facebook wouldn't know privacy if it got slapped round the face with a GDPR

      And a couple years ago Facebook was blocking some of their victims access to their FB pages unless they agreed to installing and running software which scanned the users hard drive and memory.

      https://www.bleepingcomputer.com/forums/t/652533/facebook-forcing-me-to-install-kaspersky-scanner/

  6. adam payne Silver badge

    The Register has contacted Facebook in hopes of finding out what, if anything, it can do to wipe developer databases that are left open. At the time of publication we have yet to hear back.

    Cue stock press release "We take our users privacy very serious...blah blah blah".

  7. Flak
    Flame

    (Un)believable!

    But not surprising.

    Facebook data = water in a leaky bucket.

  8. steviebuk Silver badge

    If...

    ...we were all so ready to adopt "cloud" then we wouldn't have so many of these breaches.

    Or maybe I just don't like "cloud" that much.

  9. tallenglish

    Easy way to control data flow

    Same as the rest of the world that is required to keep user info secure.

    Stop 3rd parties removing it from your site (I think LinkedIn started doing something like this to stop recruiters mining the site for people to email for jobs).

    The minute you let people take data off site, you lose all control - and that should never be allowed.

    Shows how little Facebook actually cares about security of the data it holds, all it cares about is how it can use it to make more money.

    There is another article on The Reg about how a local council just payed a huge fine for giving out 220 unredacted details of gang members, I guess Facebook is imune to these either as Murica cares more about the dollar than security or everyone is scared to call them on their BS.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019