Twitter said that a “bug” sent user’s private direct messages to Twitter developers “who were not authorized to receive them.”
The social media giant began warning users Friday of the exposure with a message in the app.
“The issue has persisted since May 2017, but we resolved it immediately upon discovering it,” the message said, which was posted on Twitter. “Our investigation into this issue is ongoing, but presently we have no reason to believe that any data sent to unauthorized developers was misused.”
“No action is required from you,” the message said.
Twitter said discovered the exposure on September 10, but took almost two weeks to inform users.
It’s the second data-related bug this year. In May, the company said a bug mistakenly logged users’ passwords in plaintext in an internal log, used by Twitter staff. Twitter urged users to change their password.
A Twitter spokesperson did not immediately respond to a request for comment.