Your Facebook login was being sold. Here is how the scheme worked.
Every time you clicked “Log in with Facebook” on a mobile game or shopping app, a New Jersey marketing firm was quietly stealing your name, gender, and email address. That is the core allegation in a lawsuit Facebook filed on February 27, 2020, in federal court in San Francisco.
Facebook says oneAudience paid mobile app developers to plant a hidden data-collection tool inside their software. The tool was a software development kit, or SDK, that looked like a normal analytics package. It was not normal.
Once installed, the SDK read data from Facebook’s OAuth login system. It also scraped information from Twitter and Google login sessions. The same person could be tracked across multiple apps and websites using the phone’s advertising identifier. The scheme ran from at least late 2018 until November 2019.
That is when security researchers spotted the abuse and tipped off Facebook through its data-abuse bounty program. Facebook says it immediately disabled the offending apps. It demanded an audit from oneAudience. The company refused.
“OneAudience refused to cooperate, so we moved to court,” wrote Jessica Romero, Facebook’s director of platform enforcement and litigation, in a blog post accompanying the suit.
The lawsuit seeks a permanent injunction and unspecified damages under the federal Computer Fraud and Abuse Act and the California Comprehensive Computer Data Access and Fraud Act. The filing does not name the specific mobile app developers that embedded the SDK. It does not say how many users were affected.
But the risk is concrete. Your Facebook login credentials were never supposed to leave the social network. The OAuth mechanism is designed to share only the minimal data needed for a third-party app to work — your name, your profile picture, your email address. oneAudience’s SDK took that data and kept it. It also grabbed the phone’s advertising identifier, a device-level ID that lets marketers follow a user across the entire mobile ecosystem. That identifier does not change unless the user manually resets it.
Twitter and Facebook separately warned users about oneAudience on November 25, 2019. In its alert, Twitter said it had “evidence that oneAudience paid mobile apps to embed their SDK and that the SDK used malicious techniques to collect data.” Twitter urged people to review and revoke access to third-party apps.
The case raises a straightforward question: who else is doing this? Facebook’s platform enforcement team has a bounty program for data abuse. It caught oneAudience because security researchers reported it. But the SDK market for Android and iOS is vast. Developers routinely embed dozens of SDKs into a single app. Many of those kits collect data with the user’s consent. Some do not.
Facebook’s lawsuit names only oneAudience. The company is based in New Jersey. It is not a household name. It is a marketing firm. It paid mobile developers to embed its code. The developers presumably knew they were being paid. Whether they knew what the SDK actually did is unclear.
The lawsuit does not say whether any user data was sold to third parties. It does not say whether the data was used for targeted advertising. It says the data was harvested. That is enough for a lawsuit under the Computer Fraud and Abuse Act, which makes it illegal to access a computer without authorization.
Facebook’s single-sign-on button is used by millions of people daily. It is convenient. It is also a vector. The oneAudience case shows that convenience can be exploited. The company refused to cooperate. Facebook went to court. The outcome will set a precedent for how far a marketing firm can go before it crosses the line into fraud.
