One of the databases, a backup from 2011 app ‘At the Pool’, contained 22,000 plaintext passwords and other user information. The other has its roots in Cultura Collectiva and contains 450 million records of user’s comments, reactions, likes, and account names. In response to the discovery, Facebook told Threatpost that app developers performed a “violation of policy”, but that it’s investigating the leaky servers.
Facebook’s Culpability
While this seems like a clear cut case of developer fault, some argue that Facebook also holds some accountability. Ideally, the data provided to developers should already be encrypted, says OSINT security researcher Bob Diachenko. Others believe the company should ensure third-parties are responsible with its data. Though its developer policy says data should be deleted as soon as it’s not in use, it failed to enforce it in this case. It also failed to do so with Cambridge Analytica, which grossly misused the data of 83 million users. Clearly, Facebook needs to keep tabs on the practices of developers, but the sheer volume could make that difficult.