In context: Social media platforms don't have the best track record when it comes to protecting the privacy of their users' data. Facebook, Twitter, and other platforms have been subject to numerous data breaches or privacy scandals over the years, and we're seeing yet another example of that today. However, in a somewhat unexpected turn of events, the latest data exposure is not strictly the fault of either social media platform.
As reported by CNBC today, "hundreds" of Facebook and Twitter users may have had their personal data "improperly accessed" due to a malicious Android SDK embedded in certain apps, including Giant Square and Photofy.
When users sign in to these apps using Twitter or Facebook, the SDK in question is capable of exploiting a vulnerability in the "mobile ecosystem" to allow certain details -- including emails, usernames, and Tweets -- to be swiped by bad actors. In a public disclosure post, Twitter says that while it has "no evidence" to suggest any accounts were actually taken over due to exposed information, it's "possible" that an individual could do so if they wished.
Facebook users were impacted in largely the same way. The same malicious SDK was used to access similar data, including names, emails, and gender identity information. Nothing too damning in the grand scheme of things, but email addresses, in particular, are likely something many people would prefer to keep as private as possible (an increasingly tough task in today's day and age).
Both Facebook and Twitter have made it clear that their own systems have not been breached; at least, to their knowledge. Twitter says this matter did not come about due to any vulnerability in its own app software. Instead, the social media giant claims the vulnerability was made possible due to the "lack of isolation between SDKs" in an app.
If you want to protect yourself from this problem, be sure to visit your third-party app authorizations menu in your Facebook or Twitter account's settings. If you see any apps you don't recognize or don't need, you can revoke their access, which should keep your details secure.
It should also be noted that iOS users do not appear to have been affected by any of this. Revoking unnecessary third-party app access is still good security practice, but the "mobile ecosystem vulnerability" seems to be exclusive to Android devices for now. Google (and Apple, for good measure) have already been notified of the dilemma, and we'll update you if it gets fixed.