We recently received a report about a malicious mobile software development kit (SDK) maintained by oneAudience. We are informing you about this today because we believe we have a responsibility to inform you of incidents that may impact the safety of your personal data or Twitter account.
This issue is not due to a vulnerability in Twitter’s software, but rather the lack of isolation between SDKs within an application. Our security team has determined that the malicious SDK, which could be embedded within a mobile application, could potentially exploit a vulnerability in the mobile ecosystem to allow personal information (email, username, last Tweet) to be accessed and taken using the malicious SDK. While we have no evidence to suggest that this was used to take control of a Twitter account, it is possible that a person could do so.
We have evidence that this SDK was used to access people’s personal data for at least some Twitter account holders using Android, however, we have no evidence that the iOS version of this malicious SDK targeted people who use Twitter for iOS.
We have informed Google and Apple about the malicious SDK so they can take further action if needed. We have also informed other industry partners about this issue.
We will be directly notifying people who use Twitter for Android who may have been impacted by this issue. There is nothing for you to do at this time, but if you think you may have downloaded a malicious application from a third-party app store, we recommend you delete it immediately. You can see a list of all third party apps you have authorized to your Twitter account here, if you don’t recognize any of them or if you no longer use them, we recommend revoking their access to keep your account secure.
You can also reach out to our Office of Data Protection through this form to request information regarding your account security.