When you send a direct message on Twitter, you expect the information to be kept private between you and the intended recipient; unfortunately, Twitter revealed today that due to a software bug, some direct messages might have ended up in the wrong hands. The error may have affected communications between some of Twitter’s user base and business accounts on the platform as far back as May 2017.
According to Twitter, the company recently discovered a bug within its Account Activity API — a programming interface that allows business developers to source information regarding other accounts in real-time. The API feature is regarded as a source of premium information access that allows businesses to connect with customers and monitor social streams.
If you direct messaged a business account between May 2017 and September 10, 2018, it is possible that your information was unintentionally routed to a registered developer. Instead of your private information being shared only with the intended recipient, the developer of the platform used by the business may have also received its contents. Businesses that users may have interacted with include accounts for customer support, airlines, banks, and more.
The team at Twitter stresses that the data breach was fixed within hours of being discovered, but that still means that the bug ran for sixteen months without being detected. The company has also noted that the software glitch affected less than 1 percent of people on Twitter, but with Twitter having sixty-eight million active users as of early 2018, that could mean that up to approximately 680,000 people were affected.
Twitter has begun reaching out via in-app communication and website notices to any users who may have been compromised by the incident. The company’s policies require developer partners to dispose of any information that they may have unintentionally received. As expected, Twitter is hoping that developers will do the right thing and delete any intercepted messages.
Most businesses typically do not ask consumers to send sensitive information via direct messages, but if you have submitted any information to a business account via direct messages that you deem sensitive, it is vital to keep an eye out for any fraudulent activity that may result from the incident.