Researchers at cybersecurity firm Upguard found that in one example, media firm Cultura Colectiva had posted 540m user records in a public database that included information such as account names, Facebook identification numbers, comments and likes.
Another app, named At The Pool, had publicly stored data including email addresses, friend lists, photos, location data and passwords on an Amazon cloud server. Around 22,000 Facebook passwords were found in the leak.
Facebook shares pared the gains they had made earlier today after reports of the breach surfaced.
"What ties [the two leaks] together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers," wrote Upguard in a blog post.
"As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access. But as these exposures show, the data genie cannot be put back in the bottle."
Upguard said Cultura Colective had not responded to multiple notifications about the leak for several months, with Amazon also failing to take action on Cultura's behalf until early this morning after Upguard's report was made public.
Both Cultura and At The Pool's databases have since been secured or taken offline.
An Amazon Web Services spokesperson said: “AWS customers own and fully control their data. When we receive an abuse report concerning content that is not clearly illegal or otherwise prohibited, we notify the customer in question and ask that they take appropriate action, which is what happened here.”
A Facebook spokesperson said: “Facebook's policies prohibit storing Facebook information in a public database. Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data.”