The team at Twitter has discovered and corrected a security bug within one of their developer APIs that has been leaking sensitive information sent via direct messages to business accounts.
According to Twitter, the company recently discovered a bug within its Account Activity API — a programming interface that allows business developers to source information regarding other accounts in real-time. The API feature is regarded as a source of premium information access that allows businesses to connect with customers and monitor social streams.
If you direct messaged a business account between May 2017 and September 10, 2018, it is possible that your information was unintentionally routed to a registered developer. Instead of your private information being shared only with the intended recipient, the developer of the platform used by the business may have also received its contents. Businesses that users may have interacted with include accounts for customer support, airlines, banks, and more.
The team at Twitter stresses that the data breach was fixed within hours of being discovered, but that still means that the bug ran for sixteen months without being detected. The company has also noted that the software glitch affected less than 1 percent of people on Twitter, but with Twitter having sixty-eight million active users as of early 2018, that could mean that up to approximately 680,000 people were affected.
Twitter has begun reaching out via in-app communication and website notices to any users who may have been compromised by the incident. The company’s policies require developer partners to dispose of any information that they may have unintentionally received. As expected, Twitter is hoping that developers will do the right thing and delete any intercepted messages.