Facebook has warned users that some malicious Android and iOS apps are stealing user login credentials.

The company said that over 400 malicious apps disguised as games, photo editors, and other utilities have been identified, according to The Verge report.

Individuals were tricked into downloading apps and redirected to log in with Facebook. The developers were then able to loot credentials, The Verge reported. A Facebook report indicated that out of the 402 malicious apps on Play Store, 355 were for Android, and 47 were for iOS.

Facebook altered users who “may have unknowingly self-compromised their accounts by downloading these apps and sharing their credentials.” Bloomberg reported that a million users were affected.

Here is what you can do

Meta recommends users reset the password, enable two-step verification, and turn on login alerts to receive a notification when someone tries to access the account.