The records were apparently stored there by Facebook partners, not by Facebook itself. Moreover, the data was not particularly sensitive -- for instance, it did not include financial information or Social Security Numbers, which could be used to facilitate identity theft, and which were exposed in the 2017 Equifax breach.
Nonetheless, the exposure highlights the fact that Facebook partners have been able to collect significant amounts of data through their own apps, and that these partners may not always have secured that information adequately. Facebook has faced a barrage of negative publicity over the last two years related to the way it and its partners collect, share and secure data that users store and share on the service.
Facebook stock dipped about 1 percent on the report and ended the day slightly negative. Amazon was off its session highs but still up about 0.4 percent by Wednesday's close.
UpGuard is a commercial firm that sells products for companies to prevent and detect data exposures.
The company said in a blog post that the data it found on Amazon's S3 service included over 540 million records with Facebook user information like comments, reactions and account names that appear to have been uploaded by Mexico-based media company Cultura Colectiva.
UpGuard said it found a database backup for a Facebook-integrated app called "At the Pool," which included passwords for that app, among other details. This database contained passwords for just 22,000 users, according to UpGuard. That app ceased operations in 2014, UpGuard said.
UpGuard did not find Facebook passwords.
The data was stored in unsecured portions of Amazon's cloud service that could easily be accessed by outsiders if they had the right information and knew where to look, UpGuard said.
"[AWS] S3 buckets usually have a name," said UpGuard's vice president of product Greg Pollock. "In this case, the names were Yeti DB and the other one was CC Data Lake. If you guessed those names and have access to a browser, that's how easy it is."
A Facebook spokesperson said the company is investigating the case, and added that UpGuard had not reached out to the company directly as far as she knew. The spokesperson claimed Facebook first became aware of the exposure when a Bloomberg reporter reached out about the story it planned to write on UpGuard's findings.
"Storing information you get from Facebook on insecure locations is specifically prohibited by our policies," Facebook told CNBC.
In a statement, Amazon noted that certain security safeguards of AWS can be overridden by customers, such as the app makers in this case:
AWS customers own and fully control their data. When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here. While Amazon S3 is secure by default, we offer the flexibility to change our default configurations to suit the many use cases in which broader access is required, such as building a website or hosting publicly downloadable content. As is the case on premises or anywhere else, application builders must ensure that changes they make to access configurations are protecting access as intended.
Cultura Colectiva said it was "concerned about the privacy and security" of its users' data. The company also said in its statement:
The UpGuard Cyber Risk team revealed that some of our datasets containing publicly available data were exposed, which included 540 million interactions such as likes, comments, and reactions. However, neither sensitive nor private data, like emails or passwords, were amongst those because we do not have access to that kind of data, so we did not put our users' privacy and security at risk. We are aware of the potential uses of data in current times, so we have reinforced our security measures to protect the data and privacy of our Facebook fanpages' users.