Researchers from UpGuard found that Facebook’s public cloud servers can access millions of Facebook records, which are said to be uploaded to the server by a third-party company that works with Facebook. ” A separate backup from a Facebook-integrated app titled “At the Pool” was also found exposed to the public internet via an Amazon S3 bucket. This database backup contained columns for fk_user_id, fb_user, fb_friends, fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, password, and more. The passwords are presumably for the “At the Pool” app rather than for the user’s Facebook account, but would put users at risk who have reused the same password across accounts.”
Although Facebook itself did not disclose data, it was indeed the company that provided the data to third-party companies, but the latter failed to keep the data properly, so Facebook also had an unshirkable lack of regulatory responsibility.
“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third-party access. But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users have been spread far beyond the bounds of what Facebook can control today,” experts at UpGuard said.