A bug in how Twitter’s platform is accessed by third-party app developers exposed certain direct messages of select users to developers who do not work for Twitter, the company disclosed in a blog post today.
Twitter says the bug was active starting sometime in May of 2017, and Twitter issued a fix within hours of discovering it on September 10th, 2018. It affected less than 1 percent of users, and the direct messages affected were those between users and accounts or businesses that relied on a certain API designed for customer service interactions. Twitter’s example is a direct message with an airline that uses a developer account to access the affected API, which is known as the Account Activity API (AAAPI).
“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer,” reads the post. “In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.”
Twitter says a “complex series of technical circumstances” was required to result in your direct messages being sent to the wrong source, and it details those circumstances in a separate blog post. Still, it’s a serious bug that doesn’t bode well for the privacy and data protection of users on the platform.
Twitter says it’s contacting affected users through its mobile app and website, and it’s working with developers to ensure anyone who received unauthorized information deletes it.Earlier this year, the company admitted to accidentally storing user passwords in plain text and advised all 330 million of its users at the time to change their login credentials.