Facebook app developers left hundreds of millions of user records exposed on publicly visible cloud servers, researchers from security firm UpGuard said today.

The researchers said the larger of the two data sets came from a Mexican media company called Cultura Colectiva. A 146GB data set with information like Facebook user activity, account names, and IDs was found that included more than 540 million records, the researchers said. A similar data set was also found for an app called “At the Pool.” While smaller, the latter included especially personal information, including 22,000 passwords apparently used for the app, rather than directly for Facebook.

It’s not clear how long the data was publicly available, or who may have obtained it from the servers, if anyone. Both data sets were found on Amazon cloud servers, and the data was removed after Facebook was contacted, the researchers said.