In brief: While Facebook and Google were lambasted by Apple for violating its rules on the use of Enterprise Certificates, it seems they weren’t the only ones guilty of this practice. The program has also been used to distribute hacked versions of popular apps, along with porn and gambling programs not allowed on Apple's store.

Reuters reports that the certificates, which are designed to let companies distribute iOS apps to their employees without going through the Apple Store, are being used by software pirates to modify apps such as Spotify, Angry Birds, Pokemon Go, and Minecraft. In Spotify’s case, the alterations allow music to be streamed without ads on its free tier—something the firm is trying to stop. In the hacked games, users can “circumvent fees and rules.”

The distributors of these apps make their money by charging $13 or more per year for subscriptions to “VIP” versions of their services, which offer more stable versions of the free, modded apps.

In a separate report, TechCrunch notes that the same certificate program is being used to distribute porn and real-money gambling apps, which Apple doesn’t allow or limits on its store.

Developers wishing to apply for an Enterprise Certificate have to pay $299 and fill out an online form promising not to distribute the apps to customers. Once they take a phone call from Apple a few weeks' later, the shady firms can acquire a certificate. These are often used by multiple publishers who make the enterprise apps available to sideload from various websites.

When it was revealed that Facebook and Google had been using the certificate program for market research purposes, Apple temporarily disabled access to their internal iOS apps, affecting everything from company transportation services to food ordering applications.

In a statement, Apple said it would be investigating the abuse of its program.

Developers that abuse our enterprise certificates are in violation of the Apple Developer Enterprise Program Agreement and will have their certificates terminated, and if appropriate, they will be removed from our Developer Program completely. We are continuously evaluating the cases of misuse and are prepared to take immediate action.

The company also announced that from February 27, all developer accounts will need to have two-factor authentication enabled, thereby keeping them more secure and stopping third-party access.