Twitter has announced that it has fixed a bug in its Account Activity API that could have delivered users’ data to the wrong registered developer. This API allows registered developers to build tools to better support businesses and their communications with customers on the platform. "If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer. In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error," Twitter said in a blog post.
The microblogging platform says that as part of its ongoing investigation, it has already sent an email to all developers who may have been impacted. Twitter also claims that there is only one set of technical circumstances where this issue could have occurred.
In a communication to the affected users, Twitter sent a message explaining the timeline of the bug and the action taken to fix it. “On Monday, September 10, we identified a bug that may have sent one or more of your Direct Messages or protected Tweets to Twitter developers who were not authorised to receive them. We resolved it immediately upon discovering it,” the company said.
As per the company, the bug has affected less than one percent of people on Twitter and any party that may have received unintended information was a developer registered through the company’s developer programme which prevents abuse and misuse of users’ data. Twitter has 335 million users, according to its latest earnings release. The company says that it is working with its most active enterprise data customers and partners who have access to this API to evaluate if they were impacted.
“Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review. Over the coming days, we will continue our investigations to include a review of our remaining enterprise partners who could have been impacted,” the company said in a blog post. In May this year, Twitter asked its users to change the password of their accounts after it discovered a bug that stored passwords in plain text in an internal system. “We have fixed the bug, and our investigation shows no indication of breach or misuse by anyone,” it announced.