Twitter said that a “bug” sent user’s private direct messages to third-party developers “who were not authorized to receive them.”
The social media giant began warning users Friday of the exposure with a message in the app.
“The issue has persisted since May 2017, but we resolved it immediately upon discovering it,” the message said, which was posted on Twitter by a Mashable reporter. “Our investigation into this issue is ongoing, but presently we have no reason to believe that any data sent to unauthorized developers was misused.”
Twitter said discovered the exposure on September 10, but took almost two weeks to inform users.
Twitter said in a notice that a developer API used by businesses to interact with customers — like airlines or delivery services — may have collected those particular direct messages by mistake. In a separate blog post, Twitter said that it’s investigation has confirmed “only one set of technical circumstances where this issue could have occurred.”
The company said that the bug affected less than 1 percent of users on Twitter. The company had 335 million users as of its latest earnings release.
“If your account was affected by this bug, we will contact you directly through an in-app notice and on twitter.com,” said the advice.
“No action is required from you,” the message said.
It’s the second data-related bug this year. In May, the company said a bug mistakenly logged users’ passwords in plaintext in an internal log, used by Twitter staff. Twitter urged users to change their password.