540 Million Facebook Records Left Exposed

Researchers discovered likes, comments, and IDs from Facebook users unprotected on the internet

consumer data concept GettyImages-172594974

Personal information about Facebook users has been mishandled yet again.

Researchers at UpGuard, a cybersecurity firm, reported Wednesday that they discovered more than 540 million individual Facebook records stored unprotected on the internet by third-party developers. The data included people's likes, comments, and user names.

UpGuard found two different data sets. The bigger, 146-gigabyte trove had been collected from Facebook by a Mexican media company, Cultura Colectiva. The second, much smaller data set came from a Facebook-integrated app called At the Pool, which ceased operation in 2014. Both data sets were being stored through Amazon's cloud-computing subsidiary.

More on Facebook

These weren't data breaches by hackers—the information was obtained through agreements with Facebook, but then stored improperly.

"As these exposures show, the data genie cannot be put back in the bottle," wrote the researchers on the UpGuard blog. "Data about Facebook users has been spread far beyond the bounds of what Facebook can control today."

There's no way to know whether any of the data was accessed by criminals.

"Unfortunately, this is not terribly surprising," says Justin Brookman, director of consumer privacy and technology policy for Consumer Reports. "Facebook's platform made available to third-party apps a lot of very sensitive data from your Facebook profile. And lots of apps make mistakes in configuring databases and, in the process, make lots of things publicly searchable that really shouldn't be."

This is the latest in a long line of revelations about privacy missteps by Facebook since the Cambridge Analytica scandal broke in March 2018. That incident also involved data collected with Facebook's permission.

Other miscues include an October 2018 data breach, a Facebook bug that let developers improperly download user photos, news that Facebook let children amass credit card bills on the site, and federal charges against the company for alleged violations of the Fair Housing Act.

The UpGuard researchers say they warned Cultura Colectiva about the problem on January 10 and again on January 14 and got no response. The data wasn't secured until April 3. The data from At the Pool was reportedly taken offline while UpGuard was investigating it, and before a formal notification was sent.

Facebook says it responded quickly once it learned about the improperly stored data. “Facebook's policies prohibit storing Facebook information in a public database," said a Facebook spokesperson in an email to Consumer Reports. "Once alerted to the issue, we worked with Amazon to take down the databases."

What You Should Do

"It might be a good idea to change your Facebook password," says CR's Brookman, who adds that reusing your Facebook password for other accounts is a very bad idea.

To do that on a computer, click on the question mark icon in the top right corner of your Facebook page, then scroll down to Privacy Shortcuts and Change Your Password.

While you're at it, consider clicking on Use Two-Factor Authentication. That makes it significantly more difficult for someone to break into your account, because you need a verification code—sent via text or an app—to confirm your identity anytime you access Facebook from a new location, device, or browser.

One caveat: In 2018, researchers discovered that Facebook may use phone numbers collected for two-factor authentication for advertising purposes. And more recently, security experts noticed that Facebook allows other users to look up your profile using those numbers, too.

If you haven't already given Facebook your number, says Bobby Richter, who heads Consumer Reports’ privacy and security testing, it’s better to use an app such as Duo Mobile or Google Authenticator for two-factor authentication. Those options are available in the settings for Facebook, which can be accessed by clicking on the down arrow icon in the top right hand corner of your Facebook page.

In the wake of the Cambridge Analytica scandal, Facebook withdrew access to personal data from any third-party app that users hadn’t logged in to for 90 days. It also limited apps with Facebook Login access from requesting any info beyond a user's name, profile picture, and email address without an official app review.

Brian Vecci, a top executive at the security firm Varonis recommends that consumers check which apps are currently collecting data from their accounts and revoke access for those that don't need it.

Here's how you do that: On a computer, click on the downward arrow at the top right of your Facebook page and choose Settings > Apps and Websites > Active. Click on the box next to any app you wish to cut off from data collection and hit Remove.

Once you do that, you will no longer be able to access the app using your Facebook Login, so create a new login and password for each app before making changes.

Passing the Password Test

What's your password strategy when it comes to protecting your online accounts? On the "Consumer 101" TV show, a Consumer Reports expert explains what you need to know about password managers.

Allen St. John

I believe that technology has the power to change our lives—for better or for worse. That's why I’ve spent my life reporting and writing about it for outlets of all sorts, from newspapers (such as the Wall Street Journal and the New York Times) to magazines (Popular Mechanics and Rolling Stone) and even my own books ("Newton’s Football" and "Clapton’s Guitar"). For me, there's no better way to spend a day than talking to a bunch of experts about an important subject and then writing a story that'll help others be smarter and better informed.