Facebook suffers another major data breach

Facebook has seldom been out of the headlines over the past 12 months, and it’s a trend that looks set to continue following news of yet another major data breach at the social network.

Reminiscent of last year’s Cambridge Analytica scandal, this latest upset is linked to third-party apps gaining access to Facebook user data, only to store that information without proper security measures in place.

Australian IT firm, UpGuard believes around 540 million items of information, including login identities, comments, ‘likes’ and replies were unearthed on a database uploaded to Amazon Web Service (AWS) cloud servers by Mexican digital publisher, Cultura Colectiva.

A second database found belonged to The Pool Party, a now defunct social network app based in Los Angeles, which exposed names, emails, photos, friends lists and ‘likes’ of 22,000 further users.

An operation is now underway between Facebook and Amazon to take down both databases, but Mark Zuckerberg’s firm has said they do not know for how long the data has been in the public domain. It is also unknown as to whether UK users are caught up in the breach.

One of Facebook’s own rules insists that developers with whom Facebook data is shared, store that shared data in a secure location.

Mr Zuckerberg is still caught up in official investigations relating to Cambridge Analytica, which obtained the data of 87 million people from a Facebook-embedded third-party personality app.

Once installed by Facebook users, the apparently innocuous app was able to access the Facebook Application Programmer Interface (API) from which it harvested swathes of account holders’ information prior to 2014. The data exposed by Cultura Colectiva and At The Pool appears to have been obtained in the same way.

In a blog post, UpGuard said:

“What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers.

“These exposures show the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.

“Combine that plenitude of personal data with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.

A Facebook spokesperson said:

“Facebook’s policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.