US data firm leaks 48 million profiles built from Facebook, Twitter and LinkedIn
A Washington-based data firm that built 48 million personal profiles by scraping data from social-media websites leaked the data publicly, according to a report by ZDnet.
The site claims the firm, LocalBox, left the profile data in a public (but unlisted) Amazon S3 storage bucket, where it wasn’t password protected and was eventually uncovered by Chris Vickery, director of cyber risk research at UpGuard.
According to UpGuard, the bucket contained a single compressed file, which, when extracted, revealed 1.2TB file of public data.
The dataset “combines standard personal information like name and address, with data about the person’s internet usage, such as their LinkedIn histories and Twitter feeds.”
“This combination begins to build a three-dimensional picture of every individual affected – who they are, what they talk about, what they like, even what they do for a living – in essence a blueprint from which to create targeted persuasive content, like advertising or political campaigning,” the report continues.
The security firm reportedly alerted LocalBox about the leak on 28 February, and the bucket was secured hours later.
LocalBox’s chief technology officer, Ashfaq Rahman told ZDnet in an email that “no other individual is believed to have accessed this file from the S3 bucket.”
On an earlier phone call, he told the site Vickery had “hacked in” to the publicly accessible S3 bucket and also disputed the number of public profiles in the dataset, saying most of it fabricated data used for testing.
Last month, Facebook found itself in hot water after whistleblower Christopher Wylie accused data company Cambridge Analytica of harvesting the data of 50 million Facebook users to influence the results of EU referendum and US presedential election.
Since then the social network has unveiled a raft of changes to its APIs, restricting developers from accessing personal data.
The site also disabled the option to search for Facebook profiles by email or phone number, claiming the feature had been “abused” by malicious actors.
“Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. So we have now disabled this feature,” Facebook CTO Mike Schroepfer said.
From the end of May, the EU will introduce much tougher data privacy rules as GDPR comes into effect. On Tuesday, Facebook announced that it’ll offer wider privacy protection to all of its users, not just those in the EU.
“Everyone – no matter where they live – will be asked to review important information about how Facebook uses data and make choices about their privacy on Facebook,” the announcement explains.