Similarly, another dataset linked to now-defunct Facebook-integrated app ‘At the Pool’ is said to have stored unprotected plaintext passwords for 22,000 users. While the app was shut down in 2014, UpGuard said it is unclear how long the user details were exposed, as the database became inaccessible while the company was looking into it. “As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle,” UpGuard wrote in its blog post. “Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.” While Facebook secured the large dataset on Wednesday after Bloomberg, who first reported the leak, contacted them, the smaller dataset was taken offline during UpGuard’s investigation. Although Facebook did not leak this data, it did share this kind of information freely with third-party developers for years who went on to improperly store it with no scrutiny from the social media giant. “The data exposed in each of these sets would not exist without Facebook, yet these data sets are no longer under Facebook’s control,” the UpGuard researchers wrote in its blogpost. “In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security.” Chris Vickery, Director of Cyber Risk Research at UpGuard, said, “The public doesn’t realize yet that these high-level systems administrators and developers, the people that are custodians of this data, they are being either risky or lazy or cutting corners. Not enough care is being put into the security side of big data.” Facebook said that it was investigating the incident, including how long the data was hosted on the public servers prior to UpGuard’s findings. The company said it will notify users if they find evidence that the data was misused. It should be noted that earlier on Wednesday, Facebook was caught requesting new users to share their email password in order to use the site with many security experts labeling the act as a phishing attack. Later, Facebook had stated that it would stop asking for users’ email passwords as a form of verification.