It seems just about every "data breach" like this turns out to be an S3 bucket left open to anyone, or a MongoDB instance left with default settings/etc... With how easy it has become to vacuum up such huge amounts of data, this type of "breach" really needs to stop :(
No screaming red banner, but each bucket does indeed get marked with large orange rectangle that reads “Public”. It’s easily noticeable.
In my limited experience, a lot of the open buckets problem comes from the fact that access to * is the path of least resistance vs a proper IAM and bucket config.
When feature work is on the line ain’t nobody got time for that :/
A lot of devs likely using aws in this manner are also not likely using the web interface an instead operating from cli pipelines where it’s easy to miss
Amazing how a third party can harvest that amount of data and Facebook is freely handing it out... they really have no control over the data they process and handle. It's been shown again and again.
It seems Facebook should be forced to disable any kind of data sharing with 3rd parties since they obviously cannot make it work. They have enough issues with the security of internal data handling procedurs already that they have to fix, before giving data to third parties.
Third parties can always just resort to web-scraping if API support is dropped. If you consistently scrape public pages on Facebook, you can amass a trove of data within a year. By supporting an API, Facebook offers a controlled avenue for this to happen, which people pay for because it's easier than scraping. It will still happen if this doesn't exist, though.
Alas, the 21st century provides the opportunity to address the growing scourge of using sounds or combinations of letters that communicate meaning without being divisible into smaller units capable of independent use.
These things are very hard to stop. First law of the internet says that if you have a public website, it will be scraped and turned into structured data. Over the years, Facebook has been adding more options to make profiles private, etc. but there are still loopholes around these things with 3rd party "delegated" authentication.
The "540 million records" wording seems misleading (probably intentionally by UpGuard and/or TechCrunch). The screenshot on https://www.upguard.com/breaches/facebook-user-data-leak leads me to think that this is 540m object records of various types (posts, comments, etc), not records of 540m distinct users like some readers would think.
It sounds like a lot, but it's not. You could probably scrape that much data from public Facebook pages in a few days without even being logged in, especially a few years ago. Heck, you could say right now that Reddit has billions of user records exposed if you define them that way. The Hacker News first page itself links to thousands of user records :)
https://www.facebook.com/data-abuse - as mentioned in the article this scenario (non-fb companies mishandling fb user data) is exactly the reason Facebooks data abuse bounty program exists. Hopefully the finders of this submitted to the program.
22 comments
[ 2.5 ms ] story [ 57.0 ms ] threadIt seems Facebook should be forced to disable any kind of data sharing with 3rd parties since they obviously cannot make it work. They have enough issues with the security of internal data handling procedurs already that they have to fix, before giving data to third parties.
That is a massive part of their model, so that will never happen. The alternative of course is to stop giving them data.
It sounds like a lot, but it's not. You could probably scrape that much data from public Facebook pages in a few days without even being logged in, especially a few years ago. Heck, you could say right now that Reddit has billions of user records exposed if you define them that way. The Hacker News first page itself links to thousands of user records :)