Security News

New Facebook data breach exposes 540M records

Avast Security News Team, 3 April 2019

Here we go again... Half a billion Facebook records including user names, passwords and likes posted publicly online.

Facebook strikes again. In the latest security gaffe by the social media giant, over half a billion Facebook records have been found sitting in plain sight by third parties using Amazon’s cloud services. None of the cloud servers were password protected. Has this scenario become too familiar?

Nearly all data records originated from Cultura Colectiva, a Mexico-based media company containing over 540 million records detailing user likes, comments, FB IDs, and more (146GB worth). The other dataset, linked to a now-defunct Facebook-integrated app called At the Pool, was significantly smaller but contained email addresses and plaintext passwords for 22,000 users.

Cultura Colectiva was first notified on January 10th, and Amazon on January 28th. But Cultura’s treasure trove of data wasn’t closed until April 3rd when Bloomberg reached out to Facebook for comment.

There is no evidence to show that the data has been misused, but Facebook has launched an investigation. Since the Cambridge Analytica incident, Facebook has cracked down on access to data that third-party app developers previously held. This precaution came swiftly after lawmakers and privacy advocates raised an outcry over data held by the political consulting and data analysis company.

Facebook has suspended over 400 apps from the platform, citing concerns around “how the information people chose to share with the app may have been used.” ‘At the Pool’ was shut down in 2014 but predates any measure post-Cambridge Analytica.

This latest security breach comes after the Wall Street Journal’s report that found third-party iOS and Android apps sending very personal user data to Facebook, unbeknownst to Facebook users. Also, just four months ago, Facebook admitted to an API bug that gave third-party app developers access to photos that people uploaded to Facebook but chose not to post. The security flaw affected up to 6.8 million Facebook users.  

“Even if Facebook is currently taking care of the data of its users, the truth is that they haven’t done so in the past,” said Luis Corrons, security evangelist at Avast. “Trust can be easily lost and it is hard to get it back, even more so when there are scandals every now and then.  As there is not yet a real competitor that users could move to, Facebook will probably manage to keep a good portion of its users. But, they better step up the game of protecting users’ data or they will be replaced sooner than later.”

So the million-dollar question remains: Is Facebook adequately investigating and implementing sufficient controls over user data, its use, and how it’s secured by third-party apps?


Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com.