If you’ve used your Twitter or Facebook account to log in to another app on your phone, some of your personal information could have been accessed by shady developers. On Monday, Twitter published a notice on its website that says that some third-party developers may have used a software development kit called oneAudience to obtain your email, username and last tweet and shared it with the company that created the tool. Facebook says it too had fallen victim to the oneAudience scam and plans to issue a similar notice to its users later today.
Twitter says the vulnerability isn’t within Twitter itself, “but rather the lack of isolation between SDKs within an application.” The company adds that it doesn’t have evidence to suggest someone exploited the issue to take control of anyone’s account — but does warn that the possibility is there. The company says it has contacted both Apple and Google about the issue, but notes that it doesn’t have evidence to suggest any iOS users had their personal information taken. We’ve reached out to Twitter, Facebook, Apple and Google for additional information and comment, and we’ll update this article when we hear back from them.
Twitter ends the note by saying it plans to contact anyone who has been affected by the issue. “There is nothing for you to do at this time, but if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately,” the company says.
As for Facebook, a spokesperson for the company told Engadget that it has taken away login access from any apps that violated its policies, and issued cease and desist letters to oneAudience and Mobiburn (another SDK that offers similar functionality to oneAudience). The company went on to say that apps that used oneAudience and Mobiburn could have shared information like name, email, and gender with the companies that created the SDKs. Facebook plans to notify 9.5 million people that their data has potentially been compromised.
While this doesn’t seem to be as large as last year’s Cambridge Analytica data abuse, the potential exposure of people’s data could be yet another factor that erodes faith people have in Facebook’s ability to keep their personal information secure. More than that, though, it’s a reminder not to blindly use Facebook or Twitter logins for third-party apps and services unless you know exactly what they’re doing with that information.
Update 5:13PM ET: This article has been updated to more clearly reflect that user data was compromised through malicious third party software, rather than through a direct hack of Facebook’s code.