Invisible Threat: Facebook (META) and Millions of Exposed S3 Data
What Happened?
In 2019, hundreds of millions of Facebook user data records were found stored unprotected on Amazon Web Services (AWS). The incident was uncovered by research from cybersecurity firm UpGuard. This data breach occurred not directly from Facebook’s infrastructure, but as a result of misconfigured cloud settings by third-party applications using Facebook’s APIs.
There were two main data sources:
- Cultura Colectiva, a Mexico-based media company, was storing approximately 540 million user records on AWS S3 without encryption or authentication.
- A defunct application called “At the Pool” was similarly hosting data belonging to over 22,000 users, including personal information (names, email addresses, and passwords), in a publicly accessible manner.
How Did It Happen?
Thanks to Facebook’s API access for developers, various companies could access user data. These applications would access data with user permission and typically store it for analysis within their own systems. However, how this data was stored and its security measures remained outside Facebook’s direct control.
The two companies in question stored their data in Amazon S3 service. However, these buckets (S3 Buckets), despite being privately configured by default, were intentionally made public or this situation was not noticed due to a configuration error. This configuration error led to these datasets becoming publicly available on the internet and being indexed by search engines like Google.
What Were the Consequences?
- Facebook’s reputation was once again damaged after the Cambridge Analytica scandal.
- Amazon warned its users to utilize the “Block Public Access” feature against misconfigured S3 Buckets.
- Facebook took strict oversight of third-party applications with API access and revoked access for thousands of applications.
- Investigations were launched under GDPR and similar data protection laws.
What Measures Could Have Been Taken?
- Default Access Policies: S3 Buckets should be configured as private by default, and access changes should be made consciously and controllably.
- Data Encryption and Masking: Sensitive information, especially user passwords, should never be stored in plaintext.
- Audit Mechanisms: Facebook should continuously audit third-party applications and revoke API access when necessary.
- Data Minimization: Unnecessary data should not be stored, and stored data should be deleted after a limited period.
- Developer Training: Developers using Facebook APIs should be trained on data security and cloud configurations.
- Contractual Sanctions: Contracts with application developers should include sanctions for data security breaches.