Twitter and Facebook have both been targeted by malicious mobile SDKs on Android that accessed personal data, such as email addresses and user names. The companies have since informed Google about the issue, and Facebook sent cease and desist letters to the data collection firms behind the SDKs, oneAudience and MobiBurn.
Affected applications include Giant Square and Photofy, but neither Facebook nor Twitter shared a complete list of infected services. The SDKs were embedded into those applications to allow users to sign in using their social network credentials and help app programmers monetize their products through targeted advertising.
Twitter even says that it may have been possible to gain access to accounts using the oneAudience SDK, but it hasn't found any evidence that it was exploited for that. The company also makes it clear that the "issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application."
MobiBurn and oneAudience both published statements, too. MobiBurn says that it merely acts as an intermediary and doesn't collect the data itself, though it doesn't deny that its partners may have received the information. The company stopped all of its activities while it investigates third parties. oneAudience states it never intended to collect that specific account data in question and claims it has not been saved, even though it passed through its servers. It has now fully shut down its SDK despite already updating it on November 13 to remedy the problem.
Twitter declares it'll directly notify people who may have been affected. Notwithstanding, the company recommends you remove any third-party applications from your account that you don't recognize or use anymore, a practice that you should regularly follow. You can find the same list and options in Facebook, too.