Latest in Gear

Image credit:

Some apps used Twitter and Facebook logins to steal personal information

Another reminder not to blindly use your Facebook and Twitter logins to access third-party apps.
Igor Bonifacic, @igorbonifacic
November 25, 2019
Share
Tweet
Share

Sponsored Links

Igor Bonifacic / Engadget

If you've used your Twitter or Facebook account to log in to another app on your phone, some of your personal information could have been accessed by shady developers. On Monday, Twitter published a notice on its website that says that some third-party developers may have used a software development kit called oneAudience to obtain your email, username and last tweet and shared it with the company that created the tool. Facebook says it too had fallen victim to the oneAudience scam and plans to issue a similar notice to its users later today.

Twitter says the vulnerability isn't within Twitter itself, "but rather the lack of isolation between SDKs within an application." The company adds that it doesn't have evidence to suggest someone exploited the issue to take control of anyone's account -- but does warn that the possibility is there. The company says it has contacted both Apple and Google about the issue, but notes that it doesn't have evidence to suggest any iOS users had their personal information taken. We've reached out to Twitter, Facebook, Apple and Google for additional information and comment, and we'll update this article when we hear back from them.

Twitter ends the note by saying it plans to contact anyone who has been affected by the issue. "There is nothing for you to do at this time, but if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately," the company says.

As for Facebook, a spokesperson for the company told Engadget that it has taken away login access from any apps that violated its policies, and issued cease and desist letters to oneAudience and Mobiburn (another SDK that offers similar functionality to oneAudience). The company went on to say that apps that used oneAudience and Mobiburn could have shared information like name, email, and gender with the companies that created the SDKs. Facebook plans to notify 9.5 million people that their data has potentially been compromised.

While this doesn't seem to be as large as last year's Cambridge Analytica data abuse, the potential exposure of people's data could be yet another factor that erodes faith people have in Facebook's ability to keep their personal information secure. More than that, though, it's a reminder not to blindly use Facebook or Twitter logins for third-party apps and services unless you know exactly what they're doing with that information.

Update 5:13PM ET: This article has been updated to more clearly reflect that user data was compromised through malicious third party software, rather than through a direct hack of Facebook's code.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

The 2020 Engadget Holiday Gift Guide

The 2020 Engadget Holiday Gift Guide

View
The best Black Friday tech deals we could find

The best Black Friday tech deals we could find

View
Scientists find neutrinos from star fusion for the first time

Scientists find neutrinos from star fusion for the first time

View
The best laptop deals we could find for Black Friday

The best laptop deals we could find for Black Friday

View
Belkin’s new wireless charger tries to do what AirPower promised

Belkin’s new wireless charger tries to do what AirPower promised

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr