[BreachExchange] Hundreds of Users Impacted in Twitter and Facebook Data Breach

Destry Winant destry at riskbasedsecurity.com
Fri Nov 29 10:01:30 EST 2019


https://www.cisomag.com/hundreds-of-users-impacted-in-twitter-and-facebook-data-breach/

Facebook and Twitter admitted that hundreds of users inadvertently
gave access to their personal data through third-party apps. The
companies stated the affected users have been using their social media
accounts to log in to certain Android applications.

The social media giants were notified about the issue by third-party
security researchers, who discovered that One Audience and Mobiburn
software development kits (SDK) provided access to users’ sensitive
data. The exposed information included usernames, email addresses,
recent tweets and posts on both the platforms.

“We recently received a report about a malicious mobile software
development kit (SDK) maintained by One Audience.  We are informing
you about this today because we believe we have a responsibility to
inform you of incidents that may impact the safety of your personal
data or Twitter account,” Twitter said in a post.

It’s said that the breach reportedly affected Android users who
accessed the Giant Square and Photofy apps using their Facebook or
Twitter accounts. However, there are no reports that i0S users have
been impacted by the incident.

Twitter and Facebook stated that they will notify the affected users.
Twitter said that it has also informed Google, Apple, and other
industry partners about the malicious SDK to take further action if
needed.

“We will be directly notifying people who use Twitter for Android, who
may have been impacted by this issue. There is nothing for you to do
at this time, but if you think you may have downloaded a malicious
application from a third-party app store, we recommend you delete it
immediately,” Twitter added.

In a similar security incident, Twitter exposed phone numbers and
email addresses of its users who opted for two-factor authentication
(2FA) protection. The company stated that user contacts had been used
for targeted advertising purposes. Twitter stated that an error in its
“Tailored Audiences and Partner Audiences advertising system”
unintentionally used the information, provided by users, to run
targeted ads.

Also, Facebook admitted a data breach involving roughly 100
third-party app developers who had improper data access. In a blog
post, Facebook’s Konstantinos Papamiltiadis, Director of Platform
Partnerships revealed that app developers had access to user data such
as group member names and profile pictures through the Group API.


More information about the BreachExchange mailing list