A bug in Twitter’s account activity API inadvertently leaked sensitive data to other developers, including direct messages and protected tweets, Twitter announced on Friday.
“If you interacted with an account or business on Twitter that relied on a developer using the AAAPI to provide their services, the bug may have caused some of these interactions to be unintentionally sent to another registered developer,” the company said in a statement.
The bug, which ran from May 2017 until September 10, 2018, required a “complex series of technical circumstances to occur” and impacted less than one percent of Twitter users.
Twitter counts over 335 million active users as of July.
Affected users are being directly contacted by Twitter. Those users have taken to the platform to complain about the bug.
The company’s investigation into the issue is ongoing.