Twitter says bug exposed some users’ private messages for 16 months

September 22, 2018

Twitter has fixed a bug that caused private messages sent between certain users to be with shared with third-party software developers for more than a year, the company said Friday.

“On Monday, September 10, we identified a bug that may have sent one of more of your Direct Messages or protected Tweets (if your account was protected at the time) to Twitter developers who are authorized to receive them,” the social networking service said in a message sent to certain users Friday.

“The issue has persisted since May 2017, but we resolved it immediately upon discovering it,” the message said.

Fewer than one percent of people on Twitter had either their private messages or protected tweets exposed by the bug, the company clarified in a blog post.

The bug affected an application programming interface, or API, used by approved developers to build tools for businesses that interact with customers on Twitter, the post said. Users who interacted with an account or business on Twitter that relied on a developer using the platform’s Account Activity API (AAPI) may have had their direct messages or tweets sent to different registered developers, according to the post.

“Our investigation into this issue is ongoing, but presently we have no reason to believe that any data sent to unauthorized developers was misused,” Twitter said. “We regret the incident and sincerely apologize for the error.”

Twitter said it is directly contacting account holders affected by the bug, as well as developers who may have inadvertently received those users’ messages by mistake.

Twitter had around 335 million active monthly users as of July 2018, the company said previously. Shares of Twitter stock were down 4.52 percent Friday afternoon compared to 24 hours earlier.

Update hourly