1 Million Users May Have Their Passwords Stolen By 400 Malicious Apps, Said Meta

Meta is the owner of both Facebook and Instagram, as well as a bunch of more products.

While the company has been praised for its contribution to the tech sphere, and how its products connect people and make the world a more reachable space, the company isn't known for maintaining a good security measure when it comes to preserving users' privacy.

From the famous Cambridge Analytica scandal, to the numerous other leaks and mishaps
And this time, yet again another leak is reported.

In a news post, Meta is warning that at least 1 million Facebook users may have their account information compromised.

But unlike before, this leak is caused by Facebook's integration with third-party apps from Apple or Google’s app stores.

1 million Facebook users leaked by 400 apps

In the report, the company’s security researchers said that they have identified more than 400 malicious apps designed to hijack users’ Facebook account credentials.

According to the company, the Android apps are disguised as "fun or useful" services, like photo editors, camera apps, VPN services, horoscope apps, and fitness tracking tools, whereas many of the malicious iOS apps are disguised as "business utility" apps.

The apps require users to "Log In with Facebook" before they can access the promised features. Nothing new, but this particular login feature is apparently a fake.

The apps use the feature to steal Facebook users’ account info.

Making things worse, many of the apps Meta identified were barely functional.

"Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login," said Meta’s Director of Threat Disruption, David Agranovich.

But since users would eventually give bad reviews, the malicious actors behind the apps are able to cover their tracks by publish lots and lots of fake good reviews.

[block:block=87]

1 million Facebook users leaked by 400 apps

"This is a highly adversarial space and while our industry peers work to detect and remove malicious software, some of these apps evade detection and make it onto legitimate app stores,” said Agranovich, and Malware Discovery and Detection Engineer Ryan Victory.

To help Facebook users avoid those apps, the company gave some tops to differentiate malicious apps from legitimate apps.

For example, malicious apps may require social media credentials to use the app before allowing users to use it.

Then, malicious apps tend to have bad reputations, less download counts, and negative reviews.

And lastly, apps users should be avoiding may not provide what they have promised users, either before or after logging in.

1 million Facebook users leaked by 400 apps

Agranovich said that Meta has shared its findings with both Apple and Google, but since it is ultimately up to the two stores to keep or remove the app, Meta is taking a preventive measure.

This is why it is pushing a warning to 1 million people who may have used the apps.

The notifications inform users that their account info may have been compromised by an app. The company doesn't name which app is the culprit, but recommends users to reset their passwords.