UpGuard is a commercial firm that sells products for companies to prevent and detect data exposures.
The company said in a blog post that the data it found on Amazon’s S3 service included over 540 million records with Facebook user information like comments, reactions and account names that appear to have been uploaded by Mexico-based media company Cultura Colectiva.
UpGuard said it found a database backup for a Facebook-integrated app called “At the Pool,” which included passwords for that app, among other details. This database contained passwords for just 22,000 users, according to UpGuard. That app ceased operations in 2014, UpGuard said.
UpGuard did not find Facebook passwords.
The data was stored in unsecured portions of Amazon’s cloud service that could easily be accessed by outsiders if they had the right information and knew where to look, UpGuard said.
“[AWS] S3 buckets usually have a name,” said UpGuard’s vice president of product Greg Pollock. “In this case, the names were Yeti DB and the other one was CC Data Lake. If you guessed those names and have access to a browser, that’s how easy it is.”
A Facebook spokesperson said the company is investigating the case, and added that UpGuard had not reached out to the company directly as far as she knew. The spokesperson claimed Facebook first became aware of the exposure when a Bloomberg reporter reached out about the story it planned to write on UpGuard’s findings.
“Storing information you get from Facebook on insecure locations is specifically prohibited by our policies,” Facebook told CNBC.
AWS could try to prevent similar incidents in the future by providing two separate options for storing data — one public, and one private, said Pollock.
Amazon and Cultura Colectiva did not immediately return requests for comment.