Meta has warned users of its Facebook platform that over 1 million user passwords may have been stolen. The third-party apps—which contain malware—would allow a user to login or register an account on the app using Facebook credential logins. At that point, a user of the third-party app would usually experience the app not working, while the app was actually harvesting the credentials.
Meta published the full report on October 7, detailing over 400 malicious apps that were “designed to steal Facebook login information and compromise people’s accounts.”
The malware apps were created in virtually every category, included photo editing, VPN, or business. The apps appeared on both the Apple App Store and Google Play, with Google hosting the majority of the apps—making Android users a primary target.
In order to mitigate this issue, Meta is recommending every Facebook user that uses third-party apps to sign-in using Facebook credentials to go to their Facebook account settings. Within the Facebook account settings, you will be able to see what websites or apps you are sharing your Facebook credentials with.
While Meta did inform Apple and Google of the malicious apps, removing them from each appropriate app store was up to Apple and Google, not Meta. Engadget reports that as of Oct. 7, all malicious apps have been removed.
If you haven’t already done so, it is best practice to perform the following for your Facebook account:
- Change your password now
- Enable two factor authentication
- Enable sign-on alerts for your Facebook account
