Skip to content
Naked Security Naked Security

Facebook apps expose millions of users’ Facebook data

Once more unto the breach, dear Facebook Friends of Friends...

It’s happened again!

Unsecured personal data found lying around in the cloud!

Unfortunately for Facebook, which has been caught up in numerous “concerned about cybersecurity” stories lately, this isn’t just any old data…

…it’s data that was acquired via Facebook by third-party apps.

It’s a little bit like what happened with Cambridge Analytica – the infamous Facebook app provider that offered so-called psychometric tests to seduce you into giving away a lot of detail about what made you tick, and then turned round and used that data in ways you almost certainly didn’t expect.

Ironically, even though these latest two data spillages, announced yesterday by leak-seeking cybersecurity company Upguard, aren’t quite as scary as the Cambridge Analytica story, they are in some ways even worse.

These breaches happened through plain old carelessness – databases hosted in the cloud and apparently almost casually left open to the world.

That’s like running your own servers in your own server room, but leaving the server room door unlocked with a big sign on it saying, “Free admission. Please don’t be naughty.”

In fact, it’s like copying critical data from your own servers onto a whole boxful of unencrypted USB drives and walking round a Dark Web convention handing them out to all and sundry.

What leaked?

According to Upguard, the latest leaky buckets it found belong to:

  • Cultura Colectiva, a Latin American social networking collective that spilled a giant database of more than 500 million entries, probably covering millions of users (the site itself claims 45 million subscribers). The data apparently included Facebook IDs, likes, friends and more.
  • At the Pool, a Facebook app that seems to have died out back in 2014, leaving its collected data orphaned and exposed. This data apparently included names, email addresses, Facebook IDs and passwords (not Facebook passwords, but stored in plaintext).

In other words, even though this isn’t “a Facebook breach”, because no one broke into Facebook itself, it is “a breach of Facebook data”, made possible by the enormous reach and influence that the Facebook platform enjoys.

Where to go?

It’s almost exactly eight years since we wrote an open letter to Facebook, saying:

We would “like”: Privacy by default, Vetted app developers, Https for everything.

To our very pleasant surprise, Facebook was one of the first big cloud operators to bite the HTTPS bullet, encrypting and authenticating its traffic everywhere, all the time.

At the time, many other companies were complaining that it would be too hard, too expensive, too slow and mostly pointless to encrypt everything, but Facebook proved them all wrong.

But not much has happened in respect of our second “like”, namely greater control over app developers.

The reason for keeping tighter reign on app developers is that they have a privileged position in a rich and sprawling kingdom.

Facebook apps essentially knit themselves into the Facebook ecosystem for free, almost instantly enjoying the imprimatur and reach of the world’s biggest social networking company.

And with freedom comes responsibility – whether that’s the duty not to do sleazy things with data shared in good faith, or simply the duty not to leave collected data lying around insecurely.

Let’s hope that Zuck’s recent company-wide bulletin about getting more serious about privacy brings results – we’re hoping to see fewer apps of higher quality from more reliable developers.

Facebook pulled off a security revolution when it reinvented its transaction security by rapidly adopting HTTPS everywhere-and-all-at-once…

…so let’s hope it can transform itself again, and get rogue apps under control, too.

What to do?

  • Review your Facebook apps and their permissions right now. Go to, choose Apps and Websites from the left-side menu, and use the list of apps and websites, if any, to view and update the info they can request or to remove the apps and websites you no longer want.
  • Review your privacy settings more generally while you’re about it. Use the Privacy menu item on the Settings screen to access the Privacy Settings and Tools page.
  • Turn on 2FA if you haven’t already. Because you can. Use the Security and Login page to set yourself up. You can hand over your mobile phone number for SMS login codes, use an authenticator app, or set up a login token like a Yubikey if you have one.

While we’re handing out advice, here are some general thoughts for the many app producers and consumers out there:

  • If you’re an app developer, whether of Facebook apps, Google Play apps or software for any other platform, stop seeing security as a cost to be driven down. Make it a value that you can use to establish your trustworthiness.
  • If you’re an app user, learn to be selective. Choose apps from companies that have earned your trust rather than simply claiming it. Avoid apps just because they’re fun or cool. Less is more.
  • If you’re an app enabler like Facebook, regardless of the scale of your operation, remember our plea from April 2011, “We would like: vetted app developers”. Rapid signup procedures for developers may be egalitarian and convenient, but they seem so often to end in tears.


No sympathy, people read day in and day out of the dangers of using Facebook, but day in and day out they let Mr Zuckerberg into their homes to ransack all their private files and drawers. Then with a cheery wave he leaves to use the data against them in any way he can, and if he can’t then he’ll sell it to someone who can. Always leaving the door ajar so he can come back again to do it all again whenever he feels like it. If God didn’t want them to be sheared then he wouldn’t have made them sheep.


Agreed that Facebook has poor privacy issues, and that people seem not to care, but this article is more about app developers that have access to the user’s data who use those apps.


Simple: stop using Fakebook as it serves only one purpose in making the master of the universe, Zuckerberg even richer.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!