Twitter has started notifying users today about an API bug that accidentally shared direct messages (private messages) or protected tweets from a user's account with Twitter app developers.
According to a support page published today, Twitter said the bug was found in the Account Activity API (AAAPI), a system that allows Twitter business accounts to grant access to an account's data to multiple developers at the same time.
Also: Why hiring more cybersecurity pros may not lead to better security TechRepublic
Because of the bug, when regular Twitter users contacted Twitter business accounts that used the AAAPI, the bug send DMs and protected tweets to the wrong developers instead of the authorized ones.
Twitter said it discovered the bug on September 10, and fixed it the same day. They also said the bug was active between May 2017 and September 2018, for almost 16 months, and affected around one percent of Twitter users.
The bug represents a serious privacy issue, especially for Twitter business accounts that use DMs to handle customer complaints that in some cases may include private user information.
Earlier today, Twitter began showing popup messages to affected users accessing the Twitter website or mobile app.
Twitter also said it contacted developers who received the unintended data and the company is "working with them to ensure that they are complying with their obligations to delete information they should not have."
"We're very sorry this happened," a Twitter spokesperson said. "We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."
On September 12, the Twitter staff also modified the way third-party apps can access images shared via direct messages, but this issue doesn't appear to be related to today's notification.
In July, Twitter hardened developer account verification policies in order to fight off bot networks and propaganda campaigns. The company also removed more than 143,000 suspicious apps at the same time.
Article updated shortly after publication with additional data from a Twitter blog post offering more details about the issue. Title updated accordingly.
Previous and related coverage:
Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.
This simple advice will help to protect you against hackers and government surveillance.
Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.
If you can't answer these basic questions, your security could be at risk.
Retired US Air Force cyber-security expert shares his thoughts on the future of critical infrastructure security.
Researchers turn ordinary WiFi devices in rudimentary scanners that can identify potentially dangerous objects hidden inside bags or luggage.