One million Facebook users had passwords stolen by fake apps

Posted:
in General Discussion edited October 7
Security researchers at Meta uncovered over 400 malicious apps from the App Store that stole credentials from Facebook users.

Facebook app logo
Facebook app logo


These apps, found on iOS and Android, posed as VPNs, photo editors, games, business apps, and other categories such as horoscope apps. However, the vast majority of the apps were found on the Google Play Store.

The company didn't reveal how many people were affected, but others say it could have been as many as one million Facebook users.

"Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login," said David Agranovich, Meta's Director of Threat Disruption.

The apps required people to log in with their Facebook account, which is a standard method to sign in with some apps and services. As a result, the apps were able to steal the login credentials.

Categories of malicious apps. Credit: Meta
Categories of malicious apps. Credit: Meta


Once an attacker compromises an account in this way, they can potentially access all private information on the person's Facebook profile. They could even message the person's Messenger contacts to send links to the malicious apps and compromise more accounts.

Meta has reported the malicious apps to Apple and Google, and they have been removed from each app store. Through its own app, Facebook is also alerting people who may have been compromised and helping them secure their accounts.

How to stay safe

Meta shared a few things to consider before logging into an app with a Facebook account.

  • Is the app unusable without a Facebook login?

  • Is the app reputable? Check the number of downloads it has, along with ratings and reviews.

  • Does the app provide the functionality it says it will, before or after logging in?

Another way to stay safe is to simply not log in with Facebook. Sign in With Apple is more secure, although not every app will offer it.

Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure -- and private -- than Facebook's method.

Read on AppleInsider
gilly33

Comments

  • Reply 1 of 13
    The last paragraph sum’s it up… but let’s go a step further!

    ”Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure — and private — than Facebook's method.”… now let’s use a forwarding address that’s created specifically for this website/app. Meaning if I downloaded Crazier Birds (made up app) and it want me to sign in, I create a forwarding email, [email protected] and then generate a random password. Worse case, hacks get my login to Crazy Bird but nothing else, not my FB, Google, Apple, etc. the hackers literally cannot go anywhere with this, end of the line. They don’t harvest an emails and if they start spamming my forwarding address, I kill it and no harm done, they don’t get any original personal information. 

    But where and how do I get this forwarding address, great question! Apple started providing this for free, you can even use your own domain for this through Apple. Apple randomly assigned an email for logins. There are also services out there that provides this, Google it! 
    DAalsethAnilu_777h2pronnbaconstangappleinsideruserwatto_cobraJaiOh81olsFileMakerFeller
  • Reply 2 of 13
    I NEVER use log in with Facebook, Twitter, Google or any social. It’s either a trash email I keep for this purpose or Log in with Apple. The only problem I’ve found with log in with Apple is resetting passwords. They ask for the original email. 
    watto_cobra
  • Reply 3 of 13
    Working to prevent this is part of the reason for the 30% commission the App Store charges. Congress needs to get their hands and minds out of campaign donors pockets and quit trying to allow alternative app stores and freeloaders on the App Store. 
    baconstangwatto_cobraJaiOh81gilly33olsjony0
  • Reply 4 of 13
    What's Facebook?
    baconstangmacseekerwatto_cobraJaiOh81zeus423olsFileMakerFeller
  • Reply 5 of 13
    Anilu_777 said:
    I NEVER use log in with Facebook, Twitter, Google or any social. It’s either a trash email I keep for this purpose or Log in with Apple. The only problem I’ve found with log in with Apple is resetting passwords. They ask for the original email. 
    They are supposed to be high security identity management. Unfortunately to them they are not accepted in finance. Only serious vendors with no leaks and issues are.
    watto_cobra
  • Reply 6 of 13
    xiao-zhixiao-zhi Posts: 109member
    How many of these apps are Apple Insider banner advertisers?
    watto_cobra
  • Reply 7 of 13
    gatorguygatorguy Posts: 23,469member
    xiao-zhi said:
    How many of these apps are Apple Insider banner advertisers?
    With nearly THREE BILLION regular Facebook users of record, one million of them possibly scammed by an app is not even a blip. I know it sounds terrible, but put in perspective it's extremely unlikely anyone you even remotely know is affected. 

    It's impossible to examine every app thoroughly, and scammers are continually on the lookout for ways to get 'cha despite the best efforts of the Apple and Google's app stores to prevent it.  
    edited October 7 FileMakerFeller
  • Reply 8 of 13
    y2any2an Posts: 135member
    I’ve always felt that login with X - regardless of what X is - is inherently unsafe due to scamming. I am just flabbergasted that all the X’s out there think it’s cool. Well of course they do, it provides them with a track of where you’re going. No, a direct account on each site is safer, unique passwords, etc. 

    Or course, your password manager knows where you’re going. 
    edited October 7 watto_cobraFileMakerFeller
  • Reply 9 of 13
    zeus423zeus423 Posts: 172member
    I tried to set up a Facebag account when it first came out to use with my students. I used the name "Mr. Brown". Facebag put my account on hold because I couldn't "use a fake name." I've done fine all these years without it. Somehow Facebag is okay with "PimpDaddy69" being someone's name, though.
    FileMakerFeller
  • Reply 10 of 13
    this article is 90% informative, then falls 10% into an apple shrill cringe opinion piece. 

    its 2022.  im not blaming anyone google/apple/facebook/etc for my password being hacked. 

    i wouldn't blame the bus driver for getting a flat tire for running over some glass in the road.  id blame the a-hole who left the glass there.  or in this case, the people with the fake apps trying to intentionally phish your information.

    we have the ability to set separate passwords, enable multi-factor authentication for every account (including facebook...! !) and so if anything got leaked it should be merely an inconveniece, not a huge problem.  ALL of these major companies have done this already and seem to be doing their part to help.  

    when can we start blaming the individual users for putting their information into the sketchy looking app, instead of the marketplace where the app is housed?  i see this as an educational opportunity to teach users what not to trust in terms of apps and their personal information.  ive used facebook login for years and not been hacked because i know well enough what to trust and what NOT to trust in terms of apps.  and you can always go into privacy and revoke access to those apps.   the doors are all there but the users are too dumb to know how to open them
  • Reply 11 of 13
    JonDiesel said:
    this article is 90% informative, then falls 10% into an apple shrill cringe opinion piece. 

    its 2022.  im not blaming anyone google/apple/facebook/etc for my password being hacked. 

    i wouldn't blame the bus driver for getting a flat tire for running over some glass in the road.  id blame the a-hole who left the glass there.  or in this case, the people with the fake apps trying to intentionally phish your information.

    we have the ability to set separate passwords, enable multi-factor authentication for every account (including facebook...! !) and so if anything got leaked it should be merely an inconveniece, not a huge problem.  ALL of these major companies have done this already and seem to be doing their part to help.  

    when can we start blaming the individual users for putting their information into the sketchy looking app, instead of the marketplace where the app is housed?  i see this as an educational opportunity to teach users what not to trust in terms of apps and their personal information.  ive used facebook login for years and not been hacked because i know well enough what to trust and what NOT to trust in terms of apps.  and you can always go into privacy and revoke access to those apps.   the doors are all there but the users are too dumb to know how to open them
    Education is the best long-term solution but it doesn't seem to be a great short-term solution. Combine it with the platforms fighting the scammers' tactics for defence in depth and you end up with a more effective overall approach.
  • Reply 12 of 13
    For anyone who feels they must use Facebook, i.e. for business/professional reasons, FB does offer two factor authorization using an authenticator app such as Authy or Google Authenticator.
  • Reply 13 of 13
    gatorguygatorguy Posts: 23,469member
    A list of the affected iOS apps, including some standouts with horrendous spelling mistakes. Quality stuff. ;) ;

    iOS App IDApp Name
    1555651942FB Advertising Optimization
    1561642325Business ADS Manager
    1563142182Ads Analytics
    1564091908FB Adverts Optimization
    1566705026FB Analytic
    1566706023FB Adverts Community
    1574530186Adverts Ai Optimize
    1587056055Very Business Manager
    1591775710FB Business Support
    1593368297Fb Ads
    1596775769Meta Optimizer
    1597553589Business Manager Pages
    1598946098Adverts Manager
    1600072709Meta Adverts Manager
    1600404846Ad Optimization Meta
    1601275530FB Pages Manager
    1602637866Business Ads
    1603255418Meta Business
    1603571287Business Suite Manager
    1604086670FB Ads Cost
    1607057895Adverts Bussiness Suite
    1608743187Business Ads Clock
    1609915932Ads & Pages
    1610859814Business Suite
    1610944161Business & Ads
    1612196202Business Manager Overview
    1613983385Business Suite Ads
    1619733733Page Suite Manager
    1622402517Business Meta Support
    1623362126Pages Manager Suite
    1625368035Business Meta Pages
    1626632781Business Suite Ads
    1626692617Ads Business Knowledge
    1629919774Page Suite Managers
    1631778308Pages Managers Suite
    1632069527Ads Business Advance
    1632606219Pages Manager Suite
    1633012933Business Suite Optimize
    1633016482Business Manager Suite
    1633078757Business Suite Managers
    1633828994Ads Business Manager
    1635045234Ads Business Suite
    1635301567Business Manager Pages
    1635555183Business Adverts Manager
    1636196931Ads Manager Suite
    1636825108Business Manager Pages
    1639572841Ads & Business Suite
    edited October 10 muthuk_vanalingam
Sign In or Register to comment.