Twitter on Friday announced it has fixed a bug affecting one of its APIs that may have sent users’ private direct messages and protected tweets to third-party developers who were not meant to receive them.
Twitter has not discovered any instances where DMs or protected tweets were delivered to the wrong developer. But the microblogging service also “can’t conclusively confirm it didn’t happen,” so it’s notifying the “less than 1 percent of people on Twitter” who may have been affected.
Twitter now has more than 336 million monthly active users, meaning more than 3 million people are potentially impacted. The company is notifying individuals via an in-app notice and on Twitter.com.
The bug affected Twitter’s Account Activity API, used by registered developers to build customer service tools. It was present for more than a year, from May 2017 until Sept. 10, when Twitter found it. The company said it patched the flaw “within hours of discovering it.”
“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer,” Twitter explained. “Based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source.”
The bug only involves your messages and interactions with companies that use Twitter “for things like customer service” – not all your DMs, the company said.
Twitter said its investigation into the matter is “ongoing.” At the same time, the company is working with developers to ensure they delete any information they shouldn’t have.
“We’re very sorry this happened,” Twitter wrote. “We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.”