22 comments

[ 2.5 ms ] story [ 57.0 ms ] thread
Seems it was 3rd party apps data stored in ... openly accessible S3 buckets. -_-
Isn't this the most common reason for these leaks? Does Amazon not have screaming red banners saying "this is gonna be openly accessible?"
It seems just about every "data breach" like this turns out to be an S3 bucket left open to anyone, or a MongoDB instance left with default settings/etc... With how easy it has become to vacuum up such huge amounts of data, this type of "breach" really needs to stop :(
No screaming red banner, but each bucket does indeed get marked with large orange rectangle that reads “Public”. It’s easily noticeable. In my limited experience, a lot of the open buckets problem comes from the fact that access to * is the path of least resistance vs a proper IAM and bucket config. When feature work is on the line ain’t nobody got time for that :/
A lot of devs likely using aws in this manner are also not likely using the web interface an instead operating from cli pipelines where it’s easy to miss
Recently (past couple of years) I’ve noticed you’ll also get emails notifying of any publicly accessible buckets.
Not red, but yes, they make it clear and obvious what this means. People don't do this by accident. It's 100% willful.
Who stands to gain for freely releasing this data?
Also, aren't the buckets private by default?
Amazing how a third party can harvest that amount of data and Facebook is freely handing it out... they really have no control over the data they process and handle. It's been shown again and again.

It seems Facebook should be forced to disable any kind of data sharing with 3rd parties since they obviously cannot make it work. They have enough issues with the security of internal data handling procedurs already that they have to fix, before giving data to third parties.

>It seems Facebook should be forced to disable any kind of data sharing with 3rd parties since they obviously cannot make it work.

That is a massive part of their model, so that will never happen. The alternative of course is to stop giving them data.

Third parties can always just resort to web-scraping if API support is dropped. If you consistently scrape public pages on Facebook, you can amass a trove of data within a year. By supporting an API, Facebook offers a controlled avenue for this to happen, which people pay for because it's easier than scraping. It will still happen if this doesn't exist, though.
It's the 21st century and I think it's time to stop calling these'records'.
540M Facebook compact discs exposed
Alas, the 21st century provides the opportunity to address the growing scourge of using sounds or combinations of letters that communicate meaning without being divisible into smaller units capable of independent use.
These things are very hard to stop. First law of the internet says that if you have a public website, it will be scraped and turned into structured data. Over the years, Facebook has been adding more options to make profiles private, etc. but there are still loopholes around these things with 3rd party "delegated" authentication.
They were moving so fast that they broke things, badly!
tl;dr - Somebody scraped massive amounts of FB data over a number of years and then abandoned it on a public S3 bucket.
The "540 million records" wording seems misleading (probably intentionally by UpGuard and/or TechCrunch). The screenshot on https://www.upguard.com/breaches/facebook-user-data-leak leads me to think that this is 540m object records of various types (posts, comments, etc), not records of 540m distinct users like some readers would think.

It sounds like a lot, but it's not. You could probably scrape that much data from public Facebook pages in a few days without even being logged in, especially a few years ago. Heck, you could say right now that Reddit has billions of user records exposed if you define them that way. The Hacker News first page itself links to thousands of user records :)

https://www.facebook.com/data-abuse - as mentioned in the article this scenario (non-fb companies mishandling fb user data) is exactly the reason Facebooks data abuse bounty program exists. Hopefully the finders of this submitted to the program.