Meta has informed one million Facebook users that their usernames and passwords may have been compromised by malicious third-party apps downloaded from the Apple App Store and Google Play Store.

Meta security researchers have identified more than 400 scams designed to steal Facebook user credentials over the past year. According to the company, most of the apps are disguised as photo editors, while others are disguised as games, health monitors, flashlight boosters, VPNs, and business apps.

If a user downloads any of these apps, they will be prompted to sign in with their Facebook account before using the app. If they do, however, the account information is sent to the attackers. Most Facebook users aren’t very tech savvy so it’s pretty easy to fall for this phishing scam.

At this stage, the program will not fulfill its declared function. Now that attackers have access to the victim’s account, they can steal sensitive information and gain access to other apps and services that the victim logs into using their Facebook account.

Meta’s director of threat prevention, David Agranovich, said Meta has already shared its findings with Apple and Google. However, he notes that the two companies must ensure that the apps are removed.

To prevent other users from falling victim to such threats, Meta has provided some malware indications. First, these apps often ask for social media credentials even if there is no reason to do so. The developer can also advertise features that are not in the app. Finally, a program may be rogue if it has reviews that say the program doesn’t work as advertised.

If you think you downloaded a malicious app and logged into your Facebook credentials, uninstall the app and reset your password immediately. Also, enable two-factor authentication to increase the security of your account. Finally, turn on login notifications to be notified of any login attempts.