A bug in Twitter’s account activity API inadvertently leaked sensitive data to other developers, including direct messages and protected tweets, Twitter announced on Friday.
“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer,” the company said in a statement.
The bug, which ran from May 2017 until September 10, 2018, required a “complex series of technical circumstances to occur” and impacted less than one percent of Twitter users.
Twitter counts over 335 million active users as of July.
Affected users are being directly contacted by Twitter. Those users have taken to the platform to complain about the bug.
I just got this from Twitter, so I asked:
"I received notice that Twitter employees had access to some of my DMs. Which DMs were they exactly? How many Twitter employees had access to them? Were the recipients of my DMs also told that my private messages to them were compromised? pic.twitter.com/OILTbbw7uc
— Katie Moussouris (@k8em0) September 21, 2018
— Giorgio Bonfiglio (@g_bonfiglio) September 21, 2018
uh-oh! Twitter’s API had a bug! pic.twitter.com/l4JI1zyBbX
— w i l l (@xWillzzzz) September 21, 2018
The company’s investigation into the issue is ongoing.