Potentially up to 1 million “live” VK.com accounts turned out to be compromised by attackers

Kaspersky Lab said it discovered a large-scale scam to steal user credentials from VKontakte through an application for playing music. According to the company, hundreds of thousands of people could become victims of hackers, the company’s website said .

To steal information, an application was used to listen to music called “Music VKontakte”. Victims downloaded it from the official Google Play store, which collected software (software) for Android devices. According to rough estimates of Kaspersky Lab, the number of victims can amount to hundreds of thousands.

Data theft occurred after a user logged in to the application, that is, entered his username and password set to access his VKontakte account. It is noteworthy that the attackers verified the authenticity of this data by sending it to the legitimate authentication server oauth.vk.com, noted in Kaspersky, and users did not know about the maliciousness of the program, because it coped with its claimed function - it played audio recordings from VKontakte.

Subsequently, attackers most often used the stolen information to add user accounts to various communities that were going to “spin” on a social network. However, in a number of cases, the abductors simply changed their password, assigning themselves an account.

A spokesman for the social network, Georgy Lobushkin, said that VKontakte users, who had experienced information theft through an app for playing music, actually voluntarily gave their data to scammers.

VKontakte users who use third-party applications are recommended to urgently change passwords and activate two-factor authentication.

UPD
fuCtor :

For applications that do not support two-factor, it is possible to generate a password (my settings -> security -> configure application passwords), which can then be deleted if necessary