Facebook and Twitter admitted that hundreds of users inadvertently gave access to their personal data through third-party apps. The companies stated the affected users have been using their social media accounts to log in to certain Android applications.
The social media giants were notified about the issue by third-party security researchers, who discovered that One Audience and Mobiburn software development kits (SDK) provided access to users’ sensitive data. The exposed information included usernames, email addresses, recent tweets and posts on both the platforms.
“We recently received a report about a malicious mobile software development kit (SDK) maintained by One Audience. We are informing you about this today because we believe we have a responsibility to inform you of incidents that may impact the safety of your personal data or Twitter account,” Twitter said in a post.
It’s said that the breach reportedly affected Android users who accessed the Giant Square and Photofy apps using their Facebook or Twitter accounts. However, there are no reports that i0S users have been impacted by the incident.
Twitter and Facebook stated that they will notify the affected users. Twitter said that it has also informed Google, Apple, and other industry partners about the malicious SDK to take further action if needed.
“We will be directly notifying people who use Twitter for Android, who may have been impacted by this issue. There is nothing for you to do at this time, but if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately,” Twitter added.
In a similar security incident, Twitter exposed phone numbers and email addresses of its users who opted for two-factor authentication (2FA) protection. The company stated that user contacts had been used for targeted advertising purposes. Twitter stated that an error in its “Tailored Audiences and Partner Audiences advertising system” unintentionally used the information, provided by users, to run targeted ads.
Also, Facebook admitted a data breach involving roughly 100 third-party app developers who had improper data access. In a blog post, Facebook’s Konstantinos Papamiltiadis, Director of Platform Partnerships revealed that app developers had access to user data such as group member names and profile pictures through the Group API.