If you’ve used your Twitter or Facebook account to log in to another app on your phone, some of your personal information could have been accessed by shady developers. On Monday, Twitter published a notice on its website that says that some third-party developers may have used a software development kit called oneAudience to obtain your email, username and last tweet. According to CNBC, Facebook confirmed that it too had fallen victim to the oneAudience scam and plans to issue a similar notice to its users later today.
Twitter says the vulnerability isn’t within Twitter itself, “but rather the lack of isolation between SDKs within an application.” The company adds that it doesn’t have evidence to suggest someone exploited the issue to take control of anyone’s account — but does warn that the possibility is there. The company says it has contacted both Apple and Google about the issue, but notes that it doesn’t have evidence to suggest any iOS users had their personal information taken. We’ve reached out to Twitter, Facebook, Apple and Google for additional information and comment, and we’ll update this article when we hear back from them.
Twitter ends the note by saying it plans to contact anyone who has been affected by the issue. “There is nothing for you to do at this time, but if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately,” the company says.
Facebook, meanwhile, told CNBC that it has taken away login access from any apps that took advantage of the vulnerability, and issued cease and desist letters to oneAudience and Mobiburn (another SDK that offers similar functionality to oneAudience).
While this doesn’t seem to be as large as last year’s Cambridge Analytica data abuse, the vulnerability could be yet another factor that erodes faith people have in the two companies’ abilities to keep their personal information safe.