More than 540 million Facebook records - including users' comments, likes, account names and more - were left exposed on an Amazon cloud-computing server, researchers discovered on Wednesday, marking the latest major privacy and security mishap to plague the social-networking giant.
The trove is one of two data-sets discovered to be in full public view by the security firm UpGuard, which also raised alarms with an app developer that mishandled Facebook records that included users' interests and potentially their app passwords.
Facebook said its policies prohibit app developers from "storing information in a public database," adding in a statement Wednesday it has worked with Amazon to take them down.
"We are committed to working with the developers on our platform to protect people's data," Facebook said.
But the fact that such a vast, full cache of sensitive personal information could have been accessed by anyone online raises fresh questions about Facebook's efforts to protect its users' privacy.
The report from UpGuard comes almost a year after revelations that Cambridge Analytica, a political consultancy, improperly accessed the personal data of 87 million Facebook users with the aid of a quiz app.
The exposure of Facebook's data also illustrated a hard reality: Once accessed or obtained, personal data can live forever.
"All of the data passed from Facebook to literally millions of developers needs to be managed," said Greg Pollock, a vice president at UpGuard. "I don't know that Facebook can clean up the mess they've made. It's an oil spill, that data is out there."
The first set of records appear to belong to a Mexican media company, Cultura Colectiva, which improperly stored data about people's friends, likes, photos, music, location check-ins and groups on a public Amazon server.
Pollock said that UpGuard in January tried to notify the organisation that its cache of Facebook information had been left open for anyone to download but ultimately received no reply.
The second set of mishandled Facebook records originated with a third-party app, called "At The Pool," which ceased operation in 2014.
Stored on Amazon was a trove of data that included names, email addresses and 22,000 users' passwords, according to UpGuard, which could not say how long that information had been left exposed. The firm expressed concern that Facebook users who set the same password on multiple sites and services could be at the greatest risk.
The revelations - first reported by Bloomberg - added to Facebook's mounting privacy woes, which have triggered numerous investigations around the globe. In recent months, the company also has been faulted for leaving millions of users' Facebook passwords stored in plain text.
At the same time, Facebook chief executive Mark Zuckerberg has embarked on a wholesale reimagining of the way users interact with each other on the social-networking site - and the data the company collects. On Saturday, he endorsed the broad contours of new regulation targeting the ways that tech giants tap consumers' personal data.
Prior to 2015, Facebook made it relatively easy for an outside developer to access the profiles of people who signed up for their services and also their friends - such permissions were abused by the academic developer working with Cambridge Analytica. It was unclear whether Cultura Colectiva accessed this data prior to 2015 or afterward, when Facebook put in place more stringent restrictions on developers.
After the Cambridge scandal broke in 2018, Facebook further restricted developer access and embarked on a wholesale review of third party apps.