Millions of Twitter Users Affected By Information Exposure Flaw

Twitter recently discovered a bug in the Account Activity API (AAAPI). This API allows registered developers to build tools to better support businesses and their communications with customers on Twitter. If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer. In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.

It is important to note that based on Twitter’s initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source. More here.

• • The bug ran from May 2017 and within hours of discovering it on September 10, 2018, Twitter shipped a fix to prevent data from being unintentionally sent to the incorrect developer.
  • The bug affected less than 1% of people on Twitter.
  • Any party that may have received unintended information was a developer registered through the developer program, which we they have significantly expanded in recent months to prevent abuse and misuse of data.

If your account was affected by this bug, Twitter will contact you directly through an in-app notice and on twitter.com.

They have contacted their developer partners and are working with them to ensure that they are complying with their obligations to delete information they should not have. Their investigation is ongoing. They will continue to provide updates with any relevant information.