Future Tense

Another 540 Million Facebook Users’ Data Has Been Exposed

Don’t expect news of these serious privacy fouls to stop anytime soon.

Facebook logo displayed on a tablet.
Lionel Bonaventure/AFP/Getty Images

Surprise! Facebook is still a privacy nightmare. The company’s history of porous data sharing continues to haunt both it and us (its fairly helpless users) on the regular. On Wednesday, researchers from the cybersecurity firm UpGuard shared that they found two massive troves of exposed Facebook user data that had been posted publicly on Amazon cloud servers. The data included users’ passwords, names, comments, and likes. The scope of this particular privacy foul from Facebook is tremendous: More than 540 million user records were sitting in plain sight, available to anyone who found them.

The two troves of data came from two different app developers: Cultura Colectiva, a Mexican company that was responsible for the vast majority of the data exposure; and “At the Pool,” an app that’s been defunct since 2014 and had improperly stored records of 22,000 users, including their passwords. Despite being contacted in January by both Amazon and UpGuard, Cultura Colectiva didn’t move to take down the data until Wednesday, when Bloomberg contacted Facebook about the findings. (The data from At the Pool came down during the course of UpGuard’s research.)

This is almost par for the course these days. Facebook is currently in the midst of multiple federal investigations over the Cambridge Analytica scandal that came to a boil about a year ago when it was reported that the voter targeting firm had inappropriately accessed the data of as many as 87 million Facebook users. That led to Facebook suspending hundreds of apps from accessing the social media network, as well as a raft of new privacy rules that restrict how app developers are now allowed to access Facebook user data, but it has not stopped the drip-drip of news that the company’s years of loose habits had come with breach after breach after breach.

Not to mention that it was less than two weeks ago that Brian Krebs reported that Facebook had been storing the passwords of hundreds of millions of Facebook users in plain text accessible to more than 20,000 Facebook employees to see. And it was only last September that Facebook shared its discovery of evidence of a security breach that hit 30 million users—the largest hack in the company’s history. The numbers of people affected by Facebook’s privacy blunders are so large it’s nearly impossible to wrap your head around them: 87 million, 30 million, 540 million—the list goes on. And once user data is exposed, there’s really no way to get it back. It can then be copied and repasted somewhere else in an instant. Even if Facebook works with Amazon to take the exposed personal information down now, that doesn’t mean it hasn’t already been found and posted elsewhere. There’s no putting the toothpaste back in the tube.

Facebook has more than 2.2 billion users, but the company is grappling with hundreds of millions of compromised accounts. That’s no small percentage. There’s a good chance that you or someone you know has been dragged into this privacy nightmare. So the questions that are likely on a lot of users’ minds are: What is there to do? And will this just keep happening forever?

Right now, there’s no comprehensive federal data privacy law in the U.S.—or even a federal requirement for companies to notify users if they’ve been swept up in a data breach or other violation of privacy wherein their data was improperly handled. There have been some proposals in Congress that would impose requirements on how platforms handle user data, but at the moment there’s no piece of legislation that a ton of lawmakers are rallying behind. In California, the strictest privacy law in the country was passed last year, and the details of its implementation are currently being debated before it goes into effect next year. Tech industry lobbyists have been pushing a version of privacy legislation that they feel comfortable with, which would preempt state laws, since last summer. Without any strong legal prohibitions against treating sensitive user data like Halloween candy to be handed out and traded with friends, there’s a strong chance that these kinds of privacy breaches will only continue. And it’s hard to know exactly how these breaches harm users. Yes, they make people vulnerable to identity theft or pernicious ad targeting based on their likes and interests. But the fallout may be way worse than we even know yet.

So at the moment, short of deleting Facebook—which wouldn’t even protect you from being tracked by Facebook’s massive online ad ecosystem or from damage done in the past—the best users can do is change their passwords and go through all their privacy settings and connected apps to better lock down their accounts. Otherwise, if you think that Facebook and other tech companies should be subject to laws that force them to treat user data responsibly, the best you can do is let your elected officials know.

Offline, we get to lock the doors to our homes and cars and use passwords to protect our phones. Online, where we live so much of our lives, we have to trust private companies to keep us locked down. The problem is that when it comes to Facebook, at least, that’s not happening.

Future Tense is a partnership of Slate, New America, and Arizona State University that examines emerging technologies, public policy, and society.