Researchers at the cybersecurity firm UpGuard have discovered two troves of unprotected Facebook user data sitting on Amazon’s servers, exposing hundreds of millions of records about users, including their names, passwords, comments, interests, and likes. The datasets had been uploaded to Amazon’s cloud system by two different Facebook app developers.

This data leak is just the latest illustration that Facebook has no control over where the data it shares with third parties ends up or how securely it’s stored. That fact became abundantly clear last year with the Cambridge Analytica scandal, when one University of Cambridge academic was able to collect tens of millions of Facebook users’ data without their knowledge, using a personality profiling quiz app. After that story made headlines, Facebook vowed to crack down on data access and audit app developers that ever had access to mass quantities of data. But UpGuard’s findings illustrate the limits of Facebook’s control over information it’s already given away. As the researchers put it in a blog post, “The data genie cannot be put back in the bottle.”

According to UpGuard, one of the exposed databases belonged to a Mexican company called Cultura Colectiva, which used Amazon cloud services to store some 146 gigabytes of data, including 540 million different records. UpGuard alerted the company of the exposure in early January, but received no response. By the end of January, the researchers alerted Amazon, which, in turn, alerted Cultura Colectiva again. But the database wasn’t secured until Wednesday, UpGuard reports, after Bloomberg contacted Facebook about it.

“Facebook's policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases," a Facebook spokesperson said in a statement. "We are committed to working with the developers on our platform to protect people's data.”

The other database belonged to an app called At the Pool. While the At the Pool database was smaller, it also contained plaintext user passwords for 22,000 users. "The passwords are presumably for the 'At the Pool' app rather than for the user’s Facebook account," UpGuard writes, "but would put users at risk who have reused the same password across accounts." That database was taken down during UpGuard's reporting, and the researchers say it’s unclear how long people’s information was exposed. The app, At the Pool, appears to have shut down in 2014.

Facebook's spokesperson said the company is continuing to assess the extent of the information that was available and how people might have been impacted. Of course, this is precisely what Facebook promised to do following the Cambridge Analytica breach. Indeed, the company has suspended hundreds of apps from the platform, citing concerns over "how the information people chose to share with the app may have been used." And yet, UpGuard's findings raise questions about whether Facebook is adequately investigating how that information is being stored by those third parties, as well. In the case of Cambridge Analytica, the researcher who collected the data knowingly sold it, which was a violation of Facebook's terms. But even a well-meaning app developer who naively neglects to secure all this data properly poses just as serious a threat to users' privacy.

"The surface area for protecting the data of Facebook users is thus vast and heterogenous, and the responsibility for securing it lies with millions of app developers who have built on its platform," the UpGuard researchers wrote.

Recently, Facebook CEO Mark Zuckerberg laid out a plan for a new type of privacy-focused social network, in which all messages are encrypted, and the content people share is increasingly ephemeral. "People clearly really want this because of what they're doing and what we're seeing people do in our products," he told WIRED. Going forward, he says, privacy will be core to the decisions that guide Facebook's future. But as this data exposure shows, he may have trouble escaping the decisions Facebook has made in its past.

Updated 4-3-2019, 3:46 pm EDT: This story has been updated to clarify that UpGuard presumes the plaintext passwords it discovered are associated with At the Pool accounts, not the users' Facebook accounts.

More Great WIRED Stories

• The body pullers of Syria
• 5 best rain jackets, and how to pick the right one
• HTTPS isn't always as secure as it seems
• How much prenatal genetic info do you really want?
• Tracking eye movements can help computers learn
• 👀 Looking for the latest gadgets? Check out our latest buying guides and best deals all year round
• 📩 Get even more of our inside scoops with our weekly Backchannel newsletter

Related Video