Twitter said it recently found and fixed an issue on its advertising platform that resulted in the company sharing some user data with advertising partners without the users' express consent.
Impacted users include only those who clicked or viewed an ad for a mobile application and later interacted with that mobile application.
The exposure data was from May 2018 to August 5, 2019, when it discovered and fixed the bug.
Twitter said the bug resulted in sharing some user data -- such as country code, device type, and ad details -- with a select list of advertisers Twitter uses for ad tracking and measurement purposes.
Twitter shared the full list of user ad data it exposed, and the the list of ad partners who may have received the info, but it did not disclose the name of the mobile apps which advertised on its platform and triggered the bug.
"We know you will want to know if you were personally affected, and how many people in total were involved," Twitter said.
"We are still conducting our investigation to determine who may have been impacted and If we discover more information that is useful we will share it."
In addition, Twitter disclosed a second ad privacy issue; however, this one didn't involve sharing data with an external partner.
The company said that since September 2018, its advertising platform made inferences about a user's devices to fine-tune ad delivery without the user's express approval.
"The data involved stayed within Twitter and did not contain things like passwords, email accounts, etc.," Twitter said.
This is how Twitter describes "inferences" on an associated help page:
For example, if you commonly use Twitter for Android around the same time and from the same network where you browse sports websites with embedded Tweets on a computer, we may infer that your Android device and laptop are related and later suggest sports-related Tweets and serve sports-related advertising on your Android device. We may also infer other information about your identity to help personalize your Twitter experience.
In other words, Twitter ignored an option in its own settings section for almost a year, and delivered targeted advertising regardless of the user's choice.
This is not the first Twitter privacy-related bug. For the past year, the company has been disclosing similar blunders on its platform.
For example, in September 2018, Twitter said it disclosed details about an API bug that shared users' private DMs with the wrong app devs.
In January 2019, Twitter disclosed another bug that exposed private tweets for some Android users for almost five years. Those tweets, meant to stay private, were visible to everyone, and were even indexed by search engines.
In May 2019, Twitter disclosed another bug on its platform that shared location data for some iOS users with "a trusted partner."