Meta lists 400 apps that stole 1M Facebook users' credentials.

Meta has identified over 400 apps for iOS and Android as being created only to steal users' login credentials for the social networking site.

About one million users have compromised cyber hygiene with one of the hundreds of apps Meta has found and listed. According to the business, the intended users of these apps are tricked into downloading them because they look useful. Still, in reality, they only collect users' login credentials to social media platforms like Facebook.

In a blog post, Meta's director of threat disruption, David Agranovich, and malware research and detection engineer, Ryan Victory, claimed that the company had discovered 400 mobile applications that appeared helpful but were harmful.

Approximately one million users may have stolen their data from malicious apps that pretend to have "fun or useful features." Examples include photo editors, VPNs that increase download speeds, graphically intensive games, flashlight apps, fitness trackers, and business utilities like the Facebook ad manager.

More than forty-two per cent (42.6%) of all fake apps are photo editors. While others in our business seek to identify and remove fraudulent software, Meta explains that some of these programmes still manage to get into official app stores.

Mobile Applications for the Theft of Personal Information | Reference: Meta

Credentials are not likely to be stolen if a user merely downloads rogue programmes and uses them. However, many of the 400 apps have "little to no usefulness before you checked in, and most supplied little functionality even after a person accepted to register in," as Agranovich explained to the press.

Users who use their Facebook credentials to access these third-party apps leave themselves vulnerable to a broader range of cyberattacks, including account takeover, across several platforms.

Recent advances in the development of bots or programmes that can do automated and repetitive tasks quickly at scale have also raised the worry of credential stuffing across many online venues.

Using a unique password for each online service is the best way to prevent credential-stuffing attacks. However, that can lead to password fatigue in today's digital world. Okta's report, "Businesses at Work 2022," the average number of apps deployed by companies in 2021 was 89, up 24% from 2016.

Some research suggests that consumers use fewer web apps and services than businesses. However, a study by the Ponemon Institute found that 50% of IT security professionals and 29% of the general public repeat passwords.

Verizon's Report on Data Breach Investigations, 2022confirms that compromised credentials is the primary source of data breaches.

Some warning signs related to poor password hygiene were brought to light by Agranovich and Victory. To distinguish themselves from regular programmes, "malware apps often include warning indicators," the authors noted. Among these are:

• App Reputation; be wary of the app's download count, ratings, and reviews

• After entering the credentials, verify that the app starts working.

Meta found that out of 400 credential-stealing apps, 47 were available on the iOS App Store and 355 on the Android Play Store. Meta pointed out that you can also find these apps in other app shops.

Unfortunately, for the 400 app users who have already downloaded and logged into the applications with their Facebook passwords, both Google and Apple have withdrawn the apps from their app stores.

You should immediately update your Facebook and any other account passwords that could have been compromised by utilising these apps. In addition to enabling login notifications, users should implement two-factor authentication (2FA) with an Authenticator app. This is necessary since one-time passwords generated by a user's cell phone can be stolen in a SIM-swapping attack.