If the first batch compromised user account information and activity, the second revealed passwords, and that too in plain text.
UpGuard says the second dataset came from a now-shuttered Facebook app called "At the Pool" and compromised unencrypted passwords of some 22,000 users.
Plus, it also had information about users' emails, friends, likes, groups, interests, and check-in locations.
Nature of passwords still unclear
It's unclear if the passwords compromised in the datasets were used for the app or Facebook accounts in question. But, either way, they pose a serious risk as unprotected passwords can easily be used to compromise a user if they use them across accounts.
What Facebook says on the matter
After the issue got flagged, both publicly visible datasets were pulled from Amazon's servers.
"Facebook's policies prohibit storing Facebook information in a public database," a spokesperson for the company said in a statement.
"Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people's data."
Now, this makes another bad case for Facebook
As of now, it remains unclear if these datasets were accessed by anyone.
UpGuard says Cultura Colectiva has been contacted about the breach, but the organization has not responded to any of their emails.
Yes, the breach comes from the developers' end but the matter still raises questions on Facebook, especially how it handles user data and how far already-leaked information has traveled.