540 Million Facebook Records Leaked Through Third-Party Servers

By Bill Toulas / April 4, 2019

More than half a billion Facebook records including user IDs, likes, comments, and other actions on the social media platform have been accessible for an extended period of time, sitting on Amazon cloud servers that were not password-protected. The 146 GB of this data belongs to Cultura Colectiva, a Mexican media company who worked closely with Facebook in the area of traffic generation prediction, while there’s also a minor exposure of a Facebook-integrated app named “At the Pool”, which exposed the email addresses and passwords of 22000 FB accounts in readable plaintext form.


image source:

The discovery of the unprotected servers was made by UpGuard researchers in January. Cultura Colectiva was informed of the fact on January 10th, and again four days later. Having gotten no response from them, the researchers decided to notify Amazon Web Services on January 28, and while they affirmed that the owner was notified, nothing happened. The database was finally secured on April 3, when the fact reached Bloomberg reporters, and the latter contacted Facebook to ask for a comment. The “At the Pool” data however remained exposed for even longer, as the parent company shut down operations in 2014, so it was probably harder to find someone to take timely action.

Facebook became more careful with what they share with their collaborators following the Cambridge Analytica scandal, but the chaos that underpinned these processes prior to the massive user data leak revelations hasn’t been negated. In the past, Facebook has openly shared user data with literally thousands of third-parties, and this fact cannot be retracted. It’s precisely this problem that leads to massive leaks even today, as Facebook seems to not precisely know who is holding that data, where it’s stored, and how this data is secured. So, if that is the case, then what can be done now?

Unfortunately, not much. Facebook has helped companies like Cultura Colectiva to gather this data and then placed all securing responsibility on them. This approach has obviously not worked out the way Facebook had hoped for, as not all third-parties are equally reliable. Some like “At the Pool” have even gone deceased years ago, leaving derelict databases exposed. All that said, it all boils down to what the users can do. Facebook has not informed the owners of the accounts who have been exposed by this most recent data leak incident, and as they were among the last to know about it, chances are that there are more unprotected databases containing Facebook user data out there right now. If you have a Facebook account, change your associated email, passwords, and enable 2FA wherever you can. At this point, even deleting your Facebook account won’t lower the risk of your “old data” getting exposed to the public.

Are you still using Facebook? We do, and you can visit our page to check out what else is on. If you don’t want to do that, you may check out our Twitter handle instead. Finally, don’t forget about the comment section below, where you can share your thoughts on the above.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: