April 3 (UPI) -- Millions of Facebook user records were exposed on a public data server, a cybersecurity firm said Wednesday.
The UpGuard Cyber Risk team released a report stating that two third-party developed Facebook app datasets -- one from the Mexico-based media company Cultura Colectiva and another from a Facebook-integrated app titled "At the Pool" -- were exposed to the public Internet.
The Cultura Colectiva data included 540 million records detailing comments, likes, reactions, account names and other information, while the "At the Pool" data contained similar information as well as unprotected passwords used in the app by 22,000 users.
"The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third-party developers," the firm said.
According to UpGuard's report, the data were stored on Amazon S3 buckets configured to allow public download of files.
UpGuard said it sent two notification emails to Cultura Colectiva on Jan. 10 and Jan. 14 and never received a response. It then notified Amazon Web Services of the situation on Jan. 28 and again on Feb. 21, but the data wasn't secured until Wednesday morning.
The firm added that the "At the Pool" data was taken offline prior to a formal notification email being sent.
A Facebook representative told Bloomberg, which first reported the data vulnerability, that the company's policies prohibit storing Facebook information in a public database and once it was alerted of the issue the company worked with Amazon to take down the databases.
During a routine security review last month, Facebook discovered that it had stored hundreds of millions of account passwords with no encryption in plain, searchable text where thousands of employees had access.
The company moved to restrict developer access and conduct a wholesale review of third-party apps last year after the widespread Cambridge Analytica breach.
"These exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today," UpGuard said.