Twitter notifies users about API bug that shared DMs with wrong devs

Earlier today, Twitter began showing popup messages to affected users accessing the Twitter website or mobile app.

Twitter went into more detail about the bug on its Developer Blog, explaining that it could have allowed data to be sent to the wrong developer's webhook URL (the mechanism that some Twitter applications use to retrieve data).

Twitter said not all direct messages, which are supposed to be private, unlike normal tweets, were at risk, just those between users and companies - such as an airline.

Twitter says that it exterminated the bug within hours of discovering it on September 10th.

"We're sorry that this happened".

Twitter has not discovered any instances where DMs or protected tweets were delivered to the wrong developer. "Based on our initial analysis, a complex series of technical circumstances had to occur at the same time for this bug to have resulted in account information definitively being shared with the wrong source".

Twitter said it found no sign that hackers accessed the exposed data but advised users that they should enter a new password on all services where their current password has been used. It was present for more than a year, from May 2017 until September 10, when Twitter found it. Our investigation into this issue is ongoing, but presently we have no reason to believe that any data sent to unauthorized developers was misused.

As stated prior, if you were affected by the problem, you have already been contacted.

In another tweet, the company emphasized that "this only involves potential interactions or Direct Messages you have had with companies using Twitter for things like customer service".

"Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review", Twitter said in its statement. "We will continue to provide updates with any relevant information".