Facebook and Twitter on Monday announced that personal data of hundreds of users may have been improperly accessed after they used their accounts to log into certain Android apps downloaded from the Google Play store.
The companies received a report from security researchers who discovered that a software development kit named One Audience gave third-party developers access to personal data. This includes the email addresses, usernames and most recent tweets of people who used their Twitter accounts to access apps including Giant Square and Photofy.
The company also said that it may have been possible for a person to take control of someone else's Twitter account through this vulnerability, though there is no evidence that this occurred.
"We think it's important for people to be aware that this exists out there and that they review the apps that they use to connect to their accounts," said Lindsay McCallum, a Twitter spokeswoman.
The warning comes as Facebook, Google and Twitter are all facing heightened scrutiny from regulators, lawmakers and users for the ways that personal data is used by outside developers to track and target consumers. The issue has been of particular concern since March 2018, when reports surfaced that analytics firm Cambridge Analytica improperly accessed up to 87 million Facebook profiles, in part to target ads for Donald Trump in the 2016 presidential election. Facebook later suspended tens of thousands of apps after investigating its ecosystem.
A Facebook spokesperson sent the following statement regarding Monday's disclosure:
"Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores. After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender. We encourage people to be cautious when choosing which third-party apps are granted access to their social media accounts."
Mobiburn posted a statement addressing the vulnerability on Monday, saying it does not collect, share or monetize data from Facebook.
"Mobiburn only facilitates the process by introducing mobile application developers to the data monetization companies," Mobiburn said. "This notwithstanding, Mobiburn stopped all its activities until our investigation on third parties is finalized."