You are here: Home » Companies » News
Business Standard

Data breach: Third party apps leak personal information from FB, Twitter

India is among largest market for Facebook and Twitter.

Data Privacy | Facebook data breach | Data breach

Press Trust of India  |  New Delhi 

data breach
Photo: Shutterstock

Malicious applications have leaked personal data of Facebook and Twitter users to third party, according to an advisory issued by cyber security watchdog Cert-In without disclosing the impact on Indian subscribers.

India is among largest market for Facebook and Twitter.

The apps violated Facebook platform policy by installing software in their apps by sending information to two companies-- OneAudience and Mobiburn, the advisory said.

Twitter shared that a software development kit (SDK) developed by OneAudience contains privacy-violating component which may have passed some of its users' personal information like email, username, tweet to OneAudience servers, it added.

"It has been reported that personal data of Facebook and Twitter users were improperly accessed by a pair of malicious SDKs used in certain third-party apps," Cert-in said in the advisory note on November 27.

When contacted Facebook said that security researchers recently notified the company about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores.

"After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn. We plan to notify people whose information we believe was likely shared after they had granted these apps permission to access their profile information like name, email and gender," Facebook spokesperson said.

Twitter said the breach has not happened due to a vulnerability in Twitter's software, but rather the "lack of isolation between SDKs within an application".

"We have evidence that this SDK was used to access people's personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS," Twitter said in a blogpost.

It further said that the microblogging platform has also informed Google and Apple about the malicious SDK so they can take further action if needed.

"We have also informed other industry partners about this issue," Twitter said.

Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.
We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

First Published: Thu, November 28 2019. 22:10 IST