Facebook asked some users for their email passwords, because why not

2 min read Original article ↗

Facebook screenshot

The new, improved Facebook email confirmation page.

Credit: Sean Gallagher

The new, improved Facebook email confirmation page. Credit: Sean Gallagher

Big buckets of nope

The user data exposures reported by UpGuard were connected to two different companies’ Facebook-related applications. The first, from Cultura Colectiva—a Mexican media company—was a 146 gigabyte store containing more than 540 million records, including Facebook account IDs and names and associated reactions, “likes,” and comments, among other things. The UpGuard researchers compared the scope of the contents to that collected by Cambridge Analytica.

The second cache, also found in an Amazon S3 bucket, was a database backup from “a Facebook-integrated app called ‘At the Pool,’” the researchers reported. The database included column labels suggesting the data included Facebook user IDs and names, friends, likes, photos, events, groups, location check-ins, and other profile data, including favorite music, books, movies, and interests. There was also a “password” column, but the passwords were “presumably for the ‘At the Pool’ app rather than for the user’s Facebook account,” UpGuard’s researchers reported. Still, these passwords could pose a risk if exposed—particularly if they had been re-used across other accounts.

The S3 buckets containing the data have been shut down or secured. For the Cultura Colectiva store, however, it took nearly four months from the date of first disclosure for the store to be secured. Cultura Colectiva never responded to emails alerting them to the exposed data. It wasn’t until today, when Facebook was contacted about the exposure by a journalist asking for comment, that the data store was secured. The backup for the “At the Pool” app was taken offline before UpGuard could notify the developers; the application is no longer active, and the company that owned the application may have ceased to exist.

Both of these cases show that while Facebook has promised to limit the ability of developers to extract personal data from its service in the wake of the Cambridge Analytica scandal, there are still third parties that have access to large volumes of Facebook data. And Facebook isn’t necessarily policing how it stores that data, despite the company’s new policies.