Twitter said that a “bug” sent user’s private direct messages to third-party developers “who were not authorized to receive them.”
The social media giant began warning users Friday of the possible exposure with a message in the app.
“The issue has persisted since May 2017, but we resolved it immediately upon discovering it,” the message said, which was posted on Twitter by a Mashable reporter. “Our investigation into this issue is ongoing, but presently we have no reason to believe that any data sent to unauthorized developers was misused.”
A spokesperson told TechCrunch that it’s “highly unlikely” that any communication was sent to the incorrect developers at all, but informed users out of an abundance of caution.
Twitter said in a notice that only messages sent to brand accounts — like airlines or delivery services — may be affected. In a separate blog post, Twitter said that it’s investigation has confirmed “only one set of technical circumstances where this issue could have occurred.”
The bug was found on September 10, but took almost two weeks to inform users.
“If your account was affected by this bug, we will contact you directly through an in-app notice and on twitter.com,” said the advice.
The company said that the bug affected less than 1 percent of users on Twitter. The company had 335 million users as of its latest earnings release.
“No action is required from you,” the message said.
It’s the second data-related bug this year. In May, the company said it mistakenly logged users’ passwords in plaintext in an internal log, used by Twitter staff. Twitter urged users to change their password.