Facebook’s struggles with privacy are well known, from the Cambridge Analytica scandal to the company storing passwords in plaintext. Every time, Facebook says it’ll do better, but it seems it still hasn’t done enough.

Recently, researchers from security firm UpGuard found that third-party Facebook app developers left hundreds of millions of user records on publicly visible cloud servers.

Most of the data came from Cultura Colective, a media company based in Mexico. They were responsible for a 146 gigabyte dataset that contained 540 million records detailing comments, likes, reactions, account names, FB IDs, and more.

UpGuard reported they tried contacting Cultura Colective on January 10th, 2019 and again on the 14th to no response.

In addition, researchers found data from an app titled “At the Pool”. It contained personal information along with 22,000 passwords. Although researchers assumed those passwords were for the app itself, they noted it put users at risk if they reused the same one across accounts.

The data was all located on Amazon servers and eventually removed after Facebook was contacted.

“Facebook’s policies prohibit storing Facebook information in a public database,” a Facebook spokesperson told The Verge. “Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data.”

It seems that these datasets being left open was a mistake, but it’s still another blow against Facebook. As the UpGuard researchers noted, “Data about Facebook users has spread far beyond the bounds of what Facebook can control today.”