Data privacy is something the tech industry has struggled with for quite some time. Though the Cambridge Analytica scandal involving Facebook was one of the most high-profile examples of that trend, Twitter isn't immune to similar problems.
According to an announcement published by the social media platform today, a bug in its "Account Activity API" (AAAPI) may have sent user's private messages to third-party developers.
To be clear, this didn't happen at random, and it's unlikely that any private messages between regular users have been compromised. Rather, messages sent to "an account or business" that involved the AAAPI may have been sent to one of Twitter's other registered developers - ones that weren't associated with the business or account in question.
Twitter's summary of the situation is as follows:
If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer.
In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer. Similarly, if your business authorized a developer using the AAAPI to access your account, the bug may have impacted your activity data in error.
Interestingly, this bug isn't a recent one. According to Twitter, it's been present since May 2017, though developers only discovered it on September 10. The company says it was fixed "within hours," adding that it affected "less than 1%" of users on Twitter.
It's tough to say how big of a deal this bug is. While I don't use Twitter's user-to-business communication features myself, it seems likely that some of these conversations could have involved the transfer of sensitive information.
After all, many customer service reps on Twitter advise users to direct message company social media accounts to resolve their problems. Still, the bug doesn't seem to be all that widespread, so if some sensitive information was exposed, at least it was only on a relatively small scale.