Facebook owner Meta is warning that up to 1 million Facebook users could have had their logons to the social network stolen by hackers.
The social network says it discovered 400 malicious apps on Apple and Google's app stores that were promoted as photo editors, business or lifestyle software - but actually designed to lure Facebook users into revealing their passwords.
See a full list of the apps here.
Meta says people who think they are affected should:
- Delete the app in question immediately.
- Change their Facebook password (see how to change your password, and create a strong new password, here).
- Enable two-factor authentication - or a second logon step that requires a confirmation message to your phone (see Facebook's how-to here).
Meta said it reported the apps to Apple and Google and the apps had since been taken down.
The company was not aware of the numbers of people who had downloaded the apps, arguing such information would only be known by Google and Apple — the operators of the app stores.
But Meta would notify people it believed may have been at risk.
"We're being kind of deliberately overcautious and notifying about 1 million users across our entire platform that they may have been exposed to applications like this," Meta's director of threat disruption David Agranovich, said.
"That doesn't mean that they were compromised, just that we think that they may have been exposed to one of these applications."
When a person installs the malicious app, it may ask them to "Login With Facebook" before they are able to use its promised features. If they enter their credentials, the malware steals their username and password.
While the firm has posted a list of the offending software it's identified so far, it says to be suspicious of any app that provides no functionality unless you enter your Facebook credentials.
Take your Radio, Podcasts and Music with you
