According to Amnesty International, people who use dominant online services such as Google and Facebook are subject to constant surveillance
According to Amnesty International, people who use dominant online services such as Google and Facebook are subject to constant surveillance AFP / DENIS CHARLET

Facebook and Twitter announced Monday that hundreds of users might have let their personal data be improperly accessed after logging into certain third-party apps downloaded from Google Play store using their accounts.

The security breach has affected android users who used their Facebook and Twitter accounts to access the Giant Square and Photofy apps downloaded from the Google Play store. As of now, there are no reports of iOS users being impacted by the data breach.

Security researchers gave the tech giants a report warning that One Audience and Mobiburn, two software development kits, let third-party developers access personal data of users, including email addresses, usernames and most recent tweets of people who used their Twitter accounts to access the apps.

“Security researchers recently notified us about two bad actors, One Audience and Mobiburn, who were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores,” Facebook said in a statement released Monday.

“After investigating, we removed the apps from our platform for violating our platform policies and issued cease and desist letters against One Audience and Mobiburn.”

The tech giants said that this vulnerability lets a person take over someone else’s Twitter account, although there was no evidence of such a thing happening. Twitter said it will be informing the users who are affected by the data breach. They have also informed Google and Apple about the vulnerability to enable them to take further action.

“We think it’s important for people to be aware that this exists out there and that they review the apps that they use to connect to their accounts,” Lindsay McCallum, a Twitter spokeswoman, told CNBC.

Mobiburn, one of the SDKs embroiled in the controversy, said that it does not collect, share or monetize data from Facebook and that it only facilitates the process by introducing mobile application developers to the data monetization companies. They added that they would be stopping all their activities until the investigation on third-parties is finalized.

The security breach comes at a time when Google, Facebook, and Twitter are under heightened scrutiny from regulators and lawmakers for the way they handle the personal data of the users.