On Friday, Twitter revealed that it recently discovered a bug that may have caused some users’ direct messages and private tweets to be sent to unauthorized third-party developers.
The company said the bug has been in effect since May 2017 and was patched only recently. It affected less than 1 percent of users on the platform, which works out to around three million of the site’s 336 million monthly active users.
Twitter said it found the bug in its Account Activity API, which gives registered developers the ability to build tools to help businesses communicate with customers on Twitter.
“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer,” Twitter said in a blog post.
Affected users will be contacted
The company tweeted that although it hasn’t found any instance where data was sent to the incorrect party, it can’t rule out the possibility that some users’ may have had their messages accidentally sent to the wrong recipient.
Direct Messages that could have been exposed were between users and companies that use Twitter for customer service interactions, Twitter said.
“In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer,” Twitter said. “Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.
The microblogging platform added that people who were potentially affected by the bug will be contacted directly through an in-app notice and on Twitter’s site.
Twitter said it has contacted its developer partners to make sure they delete any information they received in error.
“Our investigation is ongoing. We will continue to provide updates with any relevant information,” Twitter said, adding that it’s “very sorry this happened.”
Back in May, Twitter disclosed that it had found a glitch that caused user passwords to be stored in plain text. At the time, it advised all of its users to change their passwords.