Third Parties Left 540 Million Facebook Records on the Public Internet

The exposures didn’t come from Facebook itself, but do show how data generated by one company can end up exposed thanks to another service.
Image: Cathryn Virginia

For your regular reminder that developers across the world sometimes have real trouble putting any sort of protection on their databases, third party companies left Facebook user data exposed to the open internet, according to cybersecurity firm UpGuard. Bloomberg was first to report the news.

The data exposures do not come from Facebook itself, but instead companies that have been given access or otherwise collected Facebook data and then stored it elsewhere. But the mishaps still show just how easily data from one service can end up exposed thanks to another.


The two exposures come from Mexican media company Cultura Colectiva and an app called “At the Pool,” UpGuard’s announcement reads. The former includes some 146 gigabytes of data and over 540 million records, such as Facebook users’ comments, likes, account names, and unique Facebook identifiers. The later includes passwords, but these credentials appear to be for the app and not for Facebook accounts themselves, UpGuard’s blog post adds.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on, or email

UpGuard found both datasets on Amazon S3 buckets; data stores that developers commonly use for enterprise projects but sometimes without putting the need for authentication in place to access the data.

Both datasets are now secured, but in Cultura Colectiva’s case, only after Bloomberg reached out to Facebook for comment, UpGuard’s post reads.

Cultura Colectiva told Motherboard in an emailed statement "All the publicly available data provided to us by Facebook, gathered from the fanpages we manage as a publisher, is public, not sensitive, and available to all users who have access to Facebook. We use that information to improve the users’ experience on the internet, and also to generate content that will appeal to, engage, and inspire our audiences."

The Lesson: Again, this breach wasn’t really from Facebook itself, but it does still highlight how third parties can mishandle Facebook user data. In general, if there is an app or service that you grant access to your Facebook or other sensitive account and no longer need it, consider closing your account. That may not guarantee your data is deleted, however, so maybe don’t grant access to some of your more important accounts in the first place.

Update: This piece has been updated to include comment from Cultura Colectiva, and a change in the headline to reflect that the company's collected data did not come from an app, as the company says in its statement, and to clarify that the data is better understood as 540 million records, not as 540 million users' records.