Twitter revealed that it has a code patch for a bug that could have shared Twitter PM user data with outside software developers.
“We recently discovered a bug in our Account Activity API (AAAPI). This API allows registered developers to build tools to better support businesses and their communications with customers on Twitter,” the company said in a statement. “If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer. In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.”
Twitter said that less than 1 percent of Twitter’s total user base was affected, which was at 335 million monthly active users in July. The company also has hundreds of partner developers.
“We have no evidence to suggest that any data was improperly misused or exploited anywhere,” a company spokeswoman told CNBC, adding that the bug would only work if complex criteria were met. “There’s virtually no possibility that this happened, but we still want to be thorough.”
While Twitter is still investigating the incident, it said that the bug impacted user data between May 2017 and September 10, when it was discovered and fixed with a code patch within hours. The company added that if a user’s account was affected, they will be contacted directly through an in-app notice and on the social media site. It has also contacted any third-party developers who might have been affected.
“We’re very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day,” the company added.