Facebook and Twitter on Monday announced that personal data of hundreds of users may have been improperly accessed after they used their accounts to log into certain Android apps downloaded from the Google Play store. The first report had came from CNBC, and iOS users so far remains unaffected.
“We have been notified of the problem by third party security researchers,” Twitter wrote in a blog post. In particular, security researchers who discovered that a software development kit named One Audience gave third-party developers access to personal data. This includes the email addresses, usernames and most recent tweets of people who used their Twitter accounts to access apps including Giant Square and Photofy.
A Facebook spokesperson sent the following statement regarding Monday’s disclosure: “Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.”
“We think it’s important for people to be aware that this exists out there and that they review the apps that they use to connect to their accounts,” said Lindsay McCallum, a Twitter spokeswoman.
Twitter said it will be informing users who were affected. The company said it has also informed Google and Apple about the vulnerability so that they can take further action.
Source: The Verge