Micro-blogging site Twitter announced they have patched a bug that affected one of its “Account Activity Application Programming Interface” (AAAPI) which sent user’s private direct messages to third-party developers who were not authorized to receive them.
The bug ran from May 2017 but was fixed on September 10, 2018, after the company found it. It is estimated that it has affected less than 1 percent of Twitter’s account holders, it means that more than 3 million people are potentially impacted.
The company has started notifying individuals via an in-app notice and on Twitter.com. “A bug affecting one of our APIs
On Monday, September 10, we identified a bug that may have sent one or more of your Direct Messages or protected Tweets (if your account was protected at the time) to Twitter developers who were not authorized to receive them. The issue has persisted since May 2017, but we resolved it immediately upon discovering it. Our investigation into this issue is ongoing, but presently we have no reason to believe that any data sent to unauthorized developers was misused. Learn more.
According to the company’s initial investigation report, there is no evidence that any data was improperly misused or exploited anywhere.
However, the investigation is still going on and they will be able to comment on the incidence once they get a final report of investigation. The company has also mentioned that they will review their enterprise partners.
We have no evidence to suggest that any data was improperly misused or exploited anywhere,