One million Facebook users had passwords stolen by fake apps
Security researchers at Meta uncovered over 400 malicious apps from the App Store that stole credentials from Facebook users.
Facebook app logo
These apps, found on iOS and Android, posed as VPNs, photo editors, games, business apps, and other categories such as horoscope apps. However, the vast majority of the apps were found on the Google Play Store.
The company didn't reveal how many people were affected, but others say it could have been as many as one million Facebook users.
"Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login," said David Agranovich, Meta's Director of Threat Disruption.
The apps required people to log in with their Facebook account, which is a standard method to sign in with some apps and services. As a result, the apps were able to steal the login credentials.
Categories of malicious apps. Credit: Meta
Once an attacker compromises an account in this way, they can potentially access all private information on the person's Facebook profile. They could even message the person's Messenger contacts to send links to the malicious apps and compromise more accounts.
Meta has reported the malicious apps to Apple and Google, and they have been removed from each app store. Through its own app, Facebook is also alerting people who may have been compromised and helping them secure their accounts.
Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure -- and private -- than Facebook's method.
Read on AppleInsider
Facebook app logo
These apps, found on iOS and Android, posed as VPNs, photo editors, games, business apps, and other categories such as horoscope apps. However, the vast majority of the apps were found on the Google Play Store.
The company didn't reveal how many people were affected, but others say it could have been as many as one million Facebook users.
"Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login," said David Agranovich, Meta's Director of Threat Disruption.
The apps required people to log in with their Facebook account, which is a standard method to sign in with some apps and services. As a result, the apps were able to steal the login credentials.
Categories of malicious apps. Credit: Meta
Once an attacker compromises an account in this way, they can potentially access all private information on the person's Facebook profile. They could even message the person's Messenger contacts to send links to the malicious apps and compromise more accounts.
Meta has reported the malicious apps to Apple and Google, and they have been removed from each app store. Through its own app, Facebook is also alerting people who may have been compromised and helping them secure their accounts.
How to stay safe
Meta shared a few things to consider before logging into an app with a Facebook account.- Is the app unusable without a Facebook login?
- Is the app reputable? Check the number of downloads it has, along with ratings and reviews.
- Does the app provide the functionality it says it will, before or after logging in?
Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure -- and private -- than Facebook's method.
Read on AppleInsider
Comments
”Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure — and private — than Facebook's method.”… now let’s use a forwarding address that’s created specifically for this website/app. Meaning if I downloaded Crazier Birds (made up app) and it want me to sign in, I create a forwarding email, crazybirds1@ForwardingAddress.com and then generate a random password. Worse case, hacks get my login to Crazy Bird but nothing else, not my FB, Google, Apple, etc. the hackers literally cannot go anywhere with this, end of the line. They don’t harvest an emails and if they start spamming my forwarding address, I kill it and no harm done, they don’t get any original personal information.
It's impossible to examine every app thoroughly, and scammers are continually on the lookout for ways to get 'cha despite the best efforts of the Apple and Google's app stores to prevent it.
its 2022. im not blaming anyone google/apple/facebook/etc for my password being hacked.
i wouldn't blame the bus driver for getting a flat tire for running over some glass in the road. id blame the a-hole who left the glass there. or in this case, the people with the fake apps trying to intentionally phish your information.
we have the ability to set separate passwords, enable multi-factor authentication for every account (including facebook...! !) and so if anything got leaked it should be merely an inconveniece, not a huge problem. ALL of these major companies have done this already and seem to be doing their part to help.
when can we start blaming the individual users for putting their information into the sketchy looking app, instead of the marketplace where the app is housed? i see this as an educational opportunity to teach users what not to trust in terms of apps and their personal information. ive used facebook login for years and not been hacked because i know well enough what to trust and what NOT to trust in terms of apps. and you can always go into privacy and revoke access to those apps. the doors are all there but the users are too dumb to know how to open them