If you downloaded an app in the past year that ended up really not working all that well, there’s a chance that its entire function was to steal your Facebook password.
Meta began notifying at least 1 million Facebook users that their password data may have been compromised via third-party apps downloaded from both the App Store and Google Play. The company published a report on Oct. 7 detailing its findings of more than 400 malicious apps that were “designed to steal Facebook login information and compromise people’s accounts.”
All of these apps are disguised as something that could be useful or entertaining, and Meta found that a large portion of the password-stealing apps paraded as photo editing apps. Other types of malicious apps appeared as VPN services, horoscope apps, fitness trackers, games, and business and ad management apps. Though both the App Store and Google Play hosted these apps, a majority of them appear on Google Play. Of the ones hosted on the App Store, most appear as business-oriented apps.
To determine whether an app you may have downloaded could be stealing your password, Meta suggests examining whether the app requires you to use Facebook credentials to log in. Though many apps offer “Sign in with Facebook” as a legitimate option, something could be amiss if it is the only option. Additionally, make note of whether the app delivers on any of its promised functions. Many of the troublesome apps did not work pre-sign-in with Facebook and continued to be defunct even after sign-in.
According to David Agranovich, Director of Threat Disruption, Meta shared its findings with both the App Store and Google Play, but removing the apps ultimately remained up to them. As of Oct. 7, Engadget reported that both hosts had removed all apps identified by Meta.
Though the malicious apps should no longer be available, if you are concerned that you may have downloaded and tried to use any of the listed apps in the past, Meta recommends that you change your password, enable two-factor authentication, and turn on log-in alerts so you’ll be notified if anyone tries to access your account.