There is an utility called UDID changer, which is useless, but whatever. UDID can be used to change the UDID on someone's phones to your UDID. Tapulous' complete authorization system is based on UDID. This means that if someone has your UDID and UDID changer, then they have access to your tapulous account. Tapulous stores your passwords on their server, and the only way to get to it is with the correct UDID, your UDID. A malicious user changes their UDID to your UDID, accesses your Twinkle account and now have access to your Twitter and Facebook, and whatever else they store. For the sake of safety, cancel your Tapulous accounts as soon as possible, or change your twitter and facebook passwords until this vulnerability is fixed. All it takes for someone to get your UDID is for you to give it to them, whether or not you know you are. Well, how is this possible? The malicious user may just ask you, and you may give it to them. The malicious user may give you screenshots for a fantastic application they are making and offer you a beta. Of course, they need your UDID for you to beta test. The malicious user may be someone you know that actually has access to your device. Installer applications, such as Installer and Cydia send requests to the server with the UDID in the request. The maicious user may set up a repo to collect UDIDs. Etc. There are so many ways, it's ridiculous. Basically, you are not safe if you have a iPhone or iPod touch and a Tapulous account, you are at risk. UPDATE Tapulous are aware of the exploit, and are now working on a fix.