Over 1 million Facebook logins may have been stolen, says Meta

Facebook's parent company Meta said that as many as one million users may have had their login information stolen due to security issues with apps downloaded from Apple and Alphabet’s software stores. 

On Saturday, the company said that it identified more than 400 malicious Android and iOS apps this year that target internet users in order to steal their login information. However, Meta has informed both Apple and Google about the issue in order to facilitate removal of the apps, it said. 

Officials said that the apps are designed to be disguised as games, photo editors, or health and lifestyle services. Users are often asked to conveniently log in by using their Facebook, which enables hackers to steal passwords. 

As per the latest update, Apple said that 45 of the 400 problematic apps were on its App Store and have been removed. Google removed all the malicious apps in question, a spokesperson said. 

“Cybercriminals know how popular these types of apps are, and they’ll use similar themes to trick people and steal their accounts and information,” said David Agranovich, director of global threat disruption at Meta told Bloomberg.  

“If an app is promising something too good to be true, like unreleased features for another platform or social media site, chances are that it has ulterior motives,” he added. 

The data is likely to be compromised after a user downloaded one of the malicious apps. The app would require a Facebook login to work beyond basic functionality, thus tricking the user into providing their username and password. Users could then, for example, upload an edited photo to their Facebook account. But in the process, they unknowingly compromised their account by giving the author of the app access. 

Facebook has a long history of doing terribly when it comes to protecting customer data that can be traced all the way back to the beginning of its journey. Way back in 2013, Facebook found a bug that had been leaking the personal data of more than 6 million people to unauthorised viewers for more than a year, in which e-mail addresses and phone numbers were exposed. 

In 2018, private posts of 14 million people were shared publicly without their consent or knowledge. The bug was only able affect users for five days, and Facebook worked quickly to return all posts to regular privacy settings.  

Year 2018 definitely wasn’t a good year for Facebook in terms of data breaches, as they had to deal with the Cambridge Analytica controversy and experienced a second data breach. At the end of 2018, cybercriminals were able to access between 50 and 90 million user profiles. Facebook started their investigations into this breach a couple of weeks before they announced it publicly. The situation ended up being incredibly complicated and involved three separate bugs. As a result, Facebook logged 90 million users out and ask them to log back in again and reset their passwords. It also temporarily disabled certain features, like the ‘view as’ feature. 

In 2019 too, Facebook had a pretty significant data breaches, where millions of data was compromised in every quarter. 

More recently, in April 2021, personal data of over 500 million Facebook users has been posted online in a low-level hacking forum. The exposed data includes personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and - in some cases - email addresses. 

On the recent hack, Meta said that it would be share tips with potential victims on how to better spot problematic apps that steal credentials, whether for Facebook or other accounts. Agranovich added that not all one million people necessarily had their passwords compromised.