Potentially, up to 1 million “live” VK.com accounts have been compromised by attackers.

Kaspersky Lab stated that it had discovered a large-scale scam on stealing the credentials of VKontakte users through an application for playing music. The victims of hackers, according to the company, could be hundreds of thousands of people, the report said on the company's website .

To steal information, an application was used to listen to music called “Music VKontakte”. The victims downloaded it from the official Google Play store, where software (software) for Android devices was collected. According to rough estimates of Kaspersky Lab, the number of victims can amount to hundreds of thousands.

The data theft occurred after the user logged in to the application, that is, entered his login and password set to access his account "VKontakte". It is noteworthy that the attackers verified the authenticity of these data by sending them to the legitimate authentication server oauth.vk.com, they note in Kaspersky, and users did not know about the harmfulness of the program because it coped with its stated function - played audio from VKontakte.

Subsequently, the attackers most often used the stolen information to add user accounts to various communities that were going to “promote” in a social network. However, in some cases, the kidnappers simply changed the password, appropriating an account.
')
George Lobushkin, a spokesman for the social network, said that VKontakte users, faced with information theft through an application for playing music, actually voluntarily gave their data to fraudsters.

VKontakte users who use third-party applications are advised to urgently change their passwords and activate two-factor authentication.

UPD
fuCtor :

For applications that do not support two-factor, it is possible to generate a password (my settings -> security -> set up application passwords), which can be deleted if necessary