Personal information scraped from the social media profiles of up to 48 million people was left unsecured on a publicly available web storage platform, potentially allowing anyone to access “highly sensitive” data, a new report has warned.
According to security firm UpGuard, who uncovered the vulnerability, Washington-based Localblox pieced together data from Facebook, LinkedIn, Twitter, Zillow, and other sites to “build a three-dimensional picture on every individual affected”, ZD Net reports.
The records were then stored in a single file on a public, unlisted Amazon S3 storage bucket.
While the bucket was secured hours after the researchers alerted Localblox’s CTO of the issue, the entire 1.2 terabyte file containing the information of millions of people had remained available to download for an unspecified amount of time beforehand.
This included names, dates of birth, phone numbers, email addresses, postal addresses, and sometimes, net worth, according to UpGuard.
After the Cambridge Analytica scandal was first uncovered, Facebook Chief Technology Office Mike Schroepfer detailed the worrying ease with which third parties could scrape public information from most users’ profiles.
And, UpGuard’s new report shows exactly that in action.
On the Localblox website, the firm says it “automatically crawls, discovers, extracts, indexes, maps and augments data in a variety of formats from the web and from exchange networks, adding crowd- sourced verification as needed.”
This is used to help ‘companies acquire and utilize a vast amount of information’ from sources on the web.
According to ZD Net, the information in the newly discovered dataset was intended for use in advertising or political campaigning.
“The LocalBlox dataset, 1.2 terabytes in size, contained 48 million records on a lesser or similar number of individual people,” UpGuard wrote in an article about the discovery.
“The presence of scraped data from social media sites like Facebook also highlights an important fact: all too often, data held by widely used websites can be targeted by unknown third parties seeking to monetize this information.
“In such cases, both a targeted website like Facebook and any affected users are being victimized, as personal information entrusted to the social network is snatched up for the benefit of a platform of which no one is aware.”
While the bucket containing the information was unlisted, it sat on the web storage platform without a password protecting its contents – stored in a single file titled ‘final_people_data_2017_5_26_48m.json.’
It was discovered in late February by Chris Vickery, director of cyber risk research at UpGuard, who notified CTO Ashfaq Rahman.
The file, which was also viewed by ZD Net, contained detailed information on millions of users, including data that could be used to pinpoint their location.