Countless Android users who accessed the social media apps Twitter and Facebook have reported that their personal data have been accessed improperly. The breach reportedly impacted users who accessed the Photofy apps and Giant Square. Meanwhile, iOS users who accessed the apps are not reportedly affected by the recent breach.
CNBC recently reports that social media giants Facebook and Twitter were notified of the news relayed by security researchers who uncovered that a couple of software development kits had provided some app developers access to user data, which includes usernames and email addresses. The security breach reportedly impacted Android users who used their social media accounts to access Photofy and Giant Square apps. So far, there is no report that iOS users have been affected by the recent security breach.
The recent security breach means that impacted Android users may have their accounts taken over by strangers, but so far, no confirmation has been made that this happened. On Monday, Facebook released a statement stating how security researchers were able to discover bad actors paying developers to utilize malicious software development kits in several apps available in popular app stores. The social media giant reveals that these actors are Mobiburn and One Audience.
Facebook explains that after conducting an investigation, it removed the apps from its platform because of deliberate violation of Facebook policies. Additionally, Facebook issued cease and desist letters against Mobiburn and One Audience. Moreover, the social media giant states that it plans to notify users whose data were likely shared after they allowed the apps permission to access their profile data like name, gender, and email.
Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email, and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts.
Twitter, on the other hand, told CNBC that it is crucial for users to be aware that this kind of incident exists and that they should review apps that they usually use to log in to their accounts. Twitter also issued a statement about the most recent data breach.
We recently received a report about a malicious mobile software development kit (SDK) maintained by oneAudience. We are informing you about this today because we believe we have a responsibility to inform you of incidents that may impact the safety of your personal data or Twitter account.
This issue is not due to a vulnerability in Twitter's software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK. While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.
We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android. However, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS.
