There's a lot of very obvious "didn't bother reading the article but I'm going to comment on the headline" behaviour in this thread.<p>FB users put their details on their publicly accessible FB, someone ran a scraper across FB for publicly accessible info and dumped it into an insecure elasticsearch cluster and a researcher found that cluster.<p>How is FB at fault there? I say this as someone who has colossal issues with that company in general.
Just a reminder that Comparitech "pays" security researchers for "data breaches" and most likely encourages people to report these things to them without getting servers patched: <a href="https://twitter.com/securinti/status/1196850409924681728" rel="nofollow">https://twitter.com/securinti/status/1196850409924681728</a><p>No offense, but if you need to "pay" for your researcher, you're probably not that ethical and are most likely behind some intentional offensive hacking, so people can make money off your back.
Facebook has fundamentally lost control of their infrastructure. It is insanity. There are now VPNs out of Hong Kong operating output of FB ASN space. I truly have never seen anything like this in my life.<p>At FB the morale has collapsed. The support forums and bug bounty submissions are piling up and have been for weeks.<p>FB cannot and will not act. It is a problem of leadership not engineering and I have tremendous respect for nearly all of the staff there.<p>That being said the fact that Facebook continues to ignore that servers in Vietnam are hosting what appears to be all 71 million records of the Vietnamese ppl is shocking. If you are a Muslim in Vietnam the information is shockingly detailed.<p><a href="http://125.212.244.27:9200/_cat/indices" rel="nofollow">http://125.212.244.27:9200/_cat/indices</a>
> This will reduce the chances of your profile being scraped by third parties, but the only way to ensure it never happens again is to completely deactivate or delete your Facebook account.<p><i>Translation: the only way to have an account is to not have an account.</i>
The author describes himself as: "TECH WRITER, PRIVACY ADVOCATE AND VPN EXPERT" (capitalization from source)<p>"...the trove of data is most likely the result of an illegal scraping operation or Facebook API abuse by criminals..."<p>More cyber alarmism. What would these "VPN experts" say to a phone directory?<p>He goes on to describe how this was reported as abuse the service provider instead of notifying the owners of the DB.<p>Finally he concludes that users can manage their privacy settings from within Facebook. Thereby acknowledging that users can manage their data or have chosen to provide it publicly.<p>The cyber-alarmism trend from self appointed security experts has gone too far.
<p><pre><code> Zuckerberg: Yeah so if you ever need info about anyone at Harvard
Zuckerberg: Just ask.
Zuckerberg: I have over 4,000 emails, pictures, addresses, SNS
[Redacted Friend's Name]: What? How'd you manage that one?
Zuckerberg: People just submitted it.
Zuckerberg: I don't know why.
Zuckerberg: They "trust me"
Zuckerberg: Dumb fucks.
</code></pre>
<a href="https://www.businessinsider.com/well-these-new-zuckerberg-ims-wont-help-facebooks-privacy-problems-2010-5" rel="nofollow">https://www.businessinsider.com/well-these-new-zuckerberg-im...</a>
What this highlights is that it is damn simple to be a poor developer yet achieve a particular goal. You can brute force your way towards that goal, ignoring any sort of costly 'useless' security, usability or user privacy aspects. Even more so if you're a criminal. GDPR|CCPA < INTERPOL!<p>This is never going to end. This is true for criminal orgs but also legit businesses that despite regulations will mostly prioritize features to their customers over less tangible/monetizable value like hardened infrastructure and updated software.<p>Maybe I'm wrong and this cluster was left exposed for another reason, though.