Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

One million Facebook users had passwords stolen by fake apps

Facebook app logo

Last updated

Security researchers at Meta uncovered over 400 malicious apps from the App Store that stole credentials from Facebook users.

These apps, found on iOS and Android, posed as VPNs, photo editors, games, business apps, and other categories such as horoscope apps. However, the vast majority of the apps were found on the Google Play Store.

The company didn't reveal how many people were affected, but others say it could have been as many as one million Facebook users.

"Many of the apps provided little to no functionality before you logged in, and most provided no functionality even after a person agreed to login," said David Agranovich, Meta's Director of Threat Disruption.

The apps required people to log in with their Facebook account, which is a standard method to sign in with some apps and services. As a result, the apps were able to steal the login credentials.

Categories of malicious apps. Credit: Meta Categories of malicious apps. Credit: Meta

Once an attacker compromises an account in this way, they can potentially access all private information on the person's Facebook profile. They could even message the person's Messenger contacts to send links to the malicious apps and compromise more accounts.

Meta has reported the malicious apps to Apple and Google, and they have been removed from each app store. Through its own app, Facebook is also alerting people who may have been compromised and helping them secure their accounts.

How to stay safe

Meta shared a few things to consider before logging into an app with a Facebook account.

  • Is the app unusable without a Facebook login?
  • Is the app reputable? Check the number of downloads it has, along with ratings and reviews.
  • Does the app provide the functionality it says it will, before or after logging in?

Another way to stay safe is to simply not log in with Facebook. Sign in With Apple is more secure, although not every app will offer it.

Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure — and private — than Facebook's method.



13 Comments

netling 22 Years · 77 comments

The last paragraph sum’s it up… but let’s go a step further!

”Logging in with an old-fashioned email address, using a strong password generated with a password manager such as iCloud Keychain, would also be more secure — and private — than Facebook's method.”… now let’s use a forwarding address that’s created specifically for this website/app. Meaning if I downloaded Crazier Birds (made up app) and it want me to sign in, I create a forwarding email, crazybirds1@ForwardingAddress.com and then generate a random password. Worse case, hacks get my login to Crazy Bird but nothing else, not my FB, Google, Apple, etc. the hackers literally cannot go anywhere with this, end of the line. They don’t harvest an emails and if they start spamming my forwarding address, I kill it and no harm done, they don’t get any original personal information. 

But where and how do I get this forwarding address, great question! Apple started providing this for free, you can even use your own domain for this through Apple. Apple randomly assigned an email for logins. There are also services out there that provides this, Google it! 

10 Likes · 0 Dislikes
Anilu_777 9 Years · 580 comments

I NEVER use log in with Facebook, Twitter, Google or any social. It’s either a trash email I keep for this purpose or Log in with Apple. The only problem I’ve found with log in with Apple is resetting passwords. They ask for the original email. 

1 Like · 0 Dislikes
docbburk 8 Years · 109 comments

Working to prevent this is part of the reason for the 30% commission the App Store charges. Congress needs to get their hands and minds out of campaign donors pockets and quit trying to allow alternative app stores and freeloaders on the App Store. 

6 Likes · 0 Dislikes
maciekskontakt 16 Years · 1168 comments

Anilu_777 said:
I NEVER use log in with Facebook, Twitter, Google or any social. It’s either a trash email I keep for this purpose or Log in with Apple. The only problem I’ve found with log in with Apple is resetting passwords. They ask for the original email. 

They are supposed to be high security identity management. Unfortunately to them they are not accepted in finance. Only serious vendors with no leaks and issues are.

1 Like · 0 Dislikes