A warning for millions of Facebook users: some apps you downloaded stole your username and password. Meta, Facebook’s parent company, has identified more than 400 malicious apps that don’t work unless you sign in using your Facebook credentials. When a user does that, the bad guys capture their username and password and can do whatever they want with the user’s Facebook account.

The apps identified include some of the popular “turn me into a cartoon” photo editing apps, game apps, music apps, and free VPN apps among others. Those were all Android apps. The iOS apps were business suite apps most consumers wouldn’t download.

The apps have been removed from both Apple’s App Store and the Google Play Store. Some of the Android apps are still available in countries outside the United States.

Users who downloaded and installed the apps before their app store removal need to do a few things. First, check your Facebook settings. Under Security and Login, click on Apps and Websites. You’ll see all of the apps and websites you’ve signed up for with your Facebook login information. If you see one you don’t remember or no longer use, it’s a good idea to trash it.

Meta says it is contacting users who gave the apps permission to see their Facebook information. If you receive a warning from Facebook or Meta, change your password to something unique that you don’t use anywhere else.

A good way to create a tough password you can remember is to think of two songs or movies and use the first letter of each word to create a new password. Add special characters and “fb” or “fa” at the beginning, end, or in the middle so you’ll easily remember the password and what it’s for.

Be selective in which apps you download and install. If it asks for your Facebook login before you can use it, beware. That’s suspicious.