Twitter Fixes Privacy Bug That Affected 93,000 Users

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Follow on: Google +

The flaw, picked up by a security researcher, had been active since November of last year, according to the social media company

Twitter has said it fixed a bug in its systems that affected the privacy of more than 93,000 accounts for several months.

The issue affected protected accounts, whose messages are under normal circumstances only visible to “followers” approved by the user, according to Bob Lord, Twitter’s director of information security. In the case of 93,788 of these accounts, non-approved followers were allowed to receive protected tweets via SMS or push notifications, according to Lord.

Julien Tromeur - Twitter Sorry


The bug had been in effect since November 2013, Lord said.

While the number of users is small compared with Twitter’s more than 240 million active users per month, Lord said the company was taking the issue seriously.

“This should not have happened,” Lord said in a blog post on Sunday. “We’ve emailed each of these affected users to let them know about this bug and extend our whole-hearted apologies.”

The unapproved follows have been removed, and Twitter said it has “taken steps” to prevent a similar situation from recurring.

The bug was discovered and reported to Twitter by a “white hat” security researcher, according to Lord.

Ongoing security problems

The event follows a false alarm earlier this month, when a system error resulted in Twitter sending thousands of messages to users, telling them, erroneously, that their accounts had been compromised.

A real security breach last year resulted in the passwords and usernames of 250,000 users being stolen, along with emails and other data, while in August a hacker leaked the details of more than 15,000 Twitter accounts, which had apparently been stored by third-party applications.

Twitter accounts have also become a popular target for activist organisations such as the Syrian Electronic Army (SEA), with major organisations such as Microsoft, Thomson Reuters, CNN, and the Guardian, and others seeing their Twitter accounts compromised in recent months.

Such incidents have led Twitter to introduce a number of improvements to its security and authentication systems. In 2012 Twitter enabled the secure HTTPS protocol for its users by default.

In February Twitter posted its first earnings report since it went public last November, showing improving financials but slowing growth in the company’s user base. The company revealed it has 241 million monthly active users, with 48 billion views of Twitter timelines recorded in the last three months.

Are you a security pro? Try our quiz!