Meta warns 1 million users of apps used to steal Facebook passwords

If you downloaded an app in the past year that ended up really not working all that well, there's a chance that its entire function was to steal your Facebook password.

Meta began notifying at least 1 million Facebook users that their password data may have been compromised via third-party apps downloaded from both the App Store and Google Play. The company published a report on Oct. 7 detailing its findings of more than 400 malicious apps that were "designed to steal Facebook login information and compromise people’s accounts."

All of these apps are disguised as something that could be useful or entertaining, and Meta found that a large portion of the password-stealing apps paraded as photo editing apps. Other types of malicious apps appeared as VPN services, horoscope apps, fitness trackers, games, and business and ad management apps. Though both the App Store and Google Play hosted these apps, a majority of them appear on Google Play. Of the ones hosted on the App Store, most appear as business-oriented apps.

Mashable Light SpeedWant more out-of-this world tech, space and science stories?Sign up for Mashable's weekly Light Speed newsletter.By signing up you agree to our Terms of Use and Privacy Policy.Thanks for signing up!

SEE ALSO:The best password managers for all your online accounts

To determine whether an app you may have downloaded could be stealing your password, Meta suggests examining whether the app requires you to use Facebook credentials to log in. Though many apps offer "Sign in with Facebook" as a legitimate option, something could be amiss if it is the onlyoption. Additionally, make note of whether the app delivers on any of its promised functions. Many of the troublesome apps did not work pre-sign-in with Facebook and continued to be defunct even after sign-in.

According to David Agranovich, Director of Threat Disruption, Meta shared its findings with both the App Store and Google Play, but removing the apps ultimately remained up to them. As of Oct. 7, Engadgetreported that both hosts had removed all apps identified by Meta.

---

Related Stories

---

• Even Apple admits Face ID can't fully secure your sensitive data
• How to find out if your password has been stolen

Though the malicious apps should no longer be available, if you are concerned that you may have downloaded and tried to use any of the listed apps in the past, Meta recommends that you change your password, enable two-factor authentication, and turn on log-in alerts so you'll be notified if anyone tries to access your account.