Facebook and Instagram took another major hit. This time, over half a billion user accounts were exposed and had login credentials left open and unencrypted.
Facebook is facing a fresh round of controversy over yet another data breach. No, it has nothing to do with the breach that saw users pictures exposed. No, it has nothing to do with the 50 million that were the results of a hack. This is a brand new one.
Earlier this month, Facebook was wrapped in yet more controversy thanks to user name and passwords being left out in the open without any encryption at all. In all, more than 540 million accounts were exposed. From Bleeping Computers:
More than 540 million records of Facebook users were exposed by publicly accessible Amazon S3 buckets used by two third-party apps to store user data such as plain text app passwords, account names, user IDs, interests, relationship status, and more.
As discovered by the UpGuard Cyber Risk team, Mexico-based media company Cultura Colectiva stored the records of roughly 540 million of its users within a 146 GB database called “cc-datalake,” stored in a misconfigured Amazon S3 bucket which gave anyone download permissions.
This huge collection of Facebook records contained “comments, likes, reactions, account names, FB IDs and more,” allowing Cultura Colectiva to “to tune an algorithm for predicting which future content will generate the most traffic.”
As many people know, Facebook also controls Instagram. That led to questions over whether or not people’s Instagram accounts were exposed. It turns out, that answer is “yes”, but we don’t know exactly how many accounts were exposed. All we do know is that the number ranges in the “millions”. From TechCrunch:
Facebook has confirmed its password-related security incident last month now affects “millions” of Instagram users, not “tens of thousands” as first thought.
The social media giant confirmed the new information in its updated blog post, first published on March 21.
“We discovered additional logs of Instagram passwords being stored in a readable format,” the company said. “We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”
“Our investigation has determined that these stored passwords were not internally abused or improperly accessed,” the updated post said, but the company still has not said how it made that determination.
The widening scope of the data leak is once again putting privacy and security of Facebook in the spotlight. While it may be a publicity nightmare that keeps repeating itself, it could also be a legal nightmare as well. Last year, Facebook found itself being investigated by both the US and Ireland over a previous breach. What’s significant about that is that it shows the leak could affect European users. As regular readers here on Freezenet are aware, Europe’s GDPR laws came into force. The fines are quite significant if they did not alert authorities within the tight deadline of becoming aware of a security problem.
At the very least, this marks the second time Facebook could be vulnerable to the penalties under the European laws.
One things for sure, the number of controversies and legal problems revolving around Facebook are continuing to grow.
Drew Wilson on Twitter: @icecube85 and Facebook.