User data firm exposes 48m records in S3 bucket

A firm that built 48 million psychographic profiles of individuals for the purpose of targeted advertising left them sitting in a publicly-accessible S3 bucket, according to security researchers.

The latest misconfiguration bungle involved a company called LocalBlox, according to security firm UpGuard.

LocalBlox combines data from across the web - but mostly from social media sites - to build up detailed profiles of people for the purpose of targeted advertising.

Researchers said they found an AWS S3 bucket that had been misconfigured for access via the internet on February 18.

“The bucket contained one 151.3 GB compressed file, which, when decompressed, revealed a 1.2 TB ndjson (newline-delineated json) file,” UpGuard said in a blog post.

“The massive file contains 48 million records, each in json format and separated by new lines.

“The database appears to work by tracking an IP address, matching collected data to that IP address when able, and thus providing a clearer image of the behavior and background of the user at that IP address.”

Metadata pointed to LocalBlox as the owner and UpGuard said it notified the company on February 28; “the bucket was secured later that day”, it said.

Analysis of the file’s contents by researchers suggested that at least some of the information “was scraped from the Facebook html rather than gathered through the API.”

The researchers said the data breach “highlights the ease with which Facebook data can be scraped, and the ubiquity of Facebook information in psychographic datasets.”

“The exposed data wasn’t just a customer list, but the very product LocalBlox offers,” UpGuard said.

“Their value statements about the power of their data provide some insight into exactly why exposing such data is extremely dangerous.”

The researchers generally criticised the existence of companies scraping data and pulling together large, detailed sets of information about people - particularly those that operated without consumer consent or knowledge.

“Data held by widely used websites can be targeted by unknown third parties seeking to monetise this information,” UpGuard said.

“In such cases, both a targeted website like Facebook and any affected users are being victimised, as personal information entrusted to the social network is snatched up for the benefit of a platform of which no one is aware.”