Facebook and Amazon are blaming each other after millions of Facebook records leaked from AWS servers. Two datasets were discovered on Wednesday by Upguard, held by two app developers via publicly accessible AWS S3 buckets.
One of the databases, a backup from 2011 app ‘At the Pool’, contained 22,000 plaintext passwords and other user information. The other has its roots in Cultura Collectiva and contains 450 million records of user’s comments, reactions, likes, and account names.
In response to the discovery, Facebook told Threatpost that app developers performed a “violation of policy”, but that it’s investigating the leaky servers.
“Facebook’s policies prohibit storing Facebook information in a public database,” the spokesperson told the publication. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”
Cultra Collective said it notified Facebook about the data on January 10th and 14th, but got no response. It eventually told Amazon on January 28th but says the company only acknowledged the issue.
While this seems like a clear cut case of developer fault, some argue that Facebook also holds some accountability. Ideally, the data provided to developers should already be encrypted, says OSINT security researcher Bob Diachenko.
Others believe the company should ensure third-parties are responsible with its data. Though its developer policy says data should be deleted as soon as it’s not in use, it failed to enforce it in this case.
It also failed to do so with Cambridge Analytica, which grossly misused the data of 83 million users. Clearly, Facebook needs to keep tabs on the practices of developers, but the sheer volume could make that difficult.