Facebook warns 1 million users about usernames and passwords stolen via 400 malicious apps

Meta said it will notify approximately 1 million Facebook users that their account credentials may have been compromised due to security issues with apps downloaded from the Apple and Alphabet software stores. The company announced Friday that it has identified more than 400 malicious apps for Android and iOS this year that target Internet users to steal their login information. Meta said it informed Apple and Google about the problem to facilitate the removal of the apps.

The apps worked by masquerading as photo editors, mobile games or health trackers, Facebook said.

Apple said 45 of the 400 problematic apps were in the App Store and had been removed. Google has removed all the malicious apps in question, a spokesperson said.

“Cybercriminals know how popular these types of apps are and will use similar themes to trick people into stealing their accounts and information,” said David Agranovich, director of global threats at Meta. “If an app promises something too good to be true, such as unreleased features for another platform or social media site, chances are it has ulterior motives.”

A typical scam would unfold, for example, after a user downloads one of the malicious apps. The app will require a Facebook login to work outside of core functionality, thereby tricking the user into providing their username and password. Users could then, for example, upload an edited photo to their Facebook account. But in the process, they have unknowingly compromised their account by giving access to the app’s author.

Meta said it will share tips with potential victims on how they can avoid “re-compromise” by learning how to better spot problematic apps that steal credentials, whether for Facebook or other accounts. The malicious activity occurred outside of Meta’s systems, Agranovic said, adding that the passwords of all 1 million people were not necessarily compromised.

© 2022 Bloomberg LP