Millions of Twitter and Facebook users may have had their personal information compromised

Twitter and Facebook have confirmed millions of users may have had their personal information compromised by malicious software hidden in third-party apps. This includes names, genders, emails, usernames, and potentially people's last tweets.

"We recently received a report about a malicious mobile software development kit (SDK) maintained by oneAudience," Twitter announced in a blog post on Monday. Concealed in apps downloaded from the Google Play Store, the SDK could "exploit a vulnerability in the mobile ecosystem" to expose users' personal data to third-party developers.

Apps often ask for access to users' social media, linking to Twitter and Facebook accounts to provide features such as in-game leaderboards and the ability to share achievements. However, doing so in an app using this SDK potentially allowed third-party developers to access much more data than users had agreed to.

"While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so," wrote Twitter.

Fortunately, there is nothing to suggest iOS users were impacted. Unfortunately, the vulnerability was exploited to access the data of some Twitter users on Android.

Twitter says it has informed Google and Apple of the issue, and will be notifying those who may have been impacted. However, there isn't much people can do other than delete unused apps, clean up their app permissions, and hope they weren't affected.

Facebook users were similarly affected by the oneAudience SDK, as well as a similar SDK from MobiBurn. "[Both] were paying developers to use malicious software developer kits (SDKs) in a number of apps available in popular app stores," said Facebook.

The company will also notify potentially affected users, who number a whopping 9.5 million. In a statement to CNBC, Facebook claimed it has since removed the offending apps, as well as issued a cease and desist to both oneAudience and MobiBurn.

In response, oneAudience released a statement on Monday saying it will be shutting down its SDK immediately, though noted it had already pushed an update to prevent such data collection once informed of the vulnerability. "This data was never intended to be collected, never added to our database and never used," said oneAudience.

MobiBurn also released a statement asserting it had not "collected, shared or monetised" any data from Facebook, and characterised itself as a mere middleman who introduces app developers to third-party data monetisation companies.

Even so, MobiBurn will cease all activities until it completes its investigation into the matter.

All of this is another reminder to be mindful of what you download, and never link apps to your social media accounts if you can avoid it. Your friends probably don't care about your high score anyway.