Twitter, yesterday, reported an “incident” that affected the accounts of an unspecified number of users who chose to reset their password.
On its privacy centre page, the social media giant disclosed that a “bug” that appeared last year prevented Twitter users from logging out of their accounts on any device after they started resetting their passwords.
“We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset… This bug was introduced after we made a change to the systems that power password resets last year.”
As such, the company has reached out to users who may have been affected and logged them from their accounts with all sessions active on all devices.
A statement by a Twitter spokesperson to Engadget notes that for most people, this wouldn’t have led to any harm or account compromise.
Though Twitter affirms the accounts of “most people” wouldn’t have been compromised the news may be of concern to those who have shared devices in the past year or have dealt with lost or stolen devices.
BleepingComputer, two months ago, reported an attack which caused a data breach anf leaked phone numbers and email addresses linked to 5.4 million Twitter accounts stolen in December 2021.
The vulnerability, which attackers used to collect data, was disclosed to Twitter via HackerOne on January 1 and patched on January 13, as first reported by Restore Privacy.
A month later, Twitter confirmed the report and said the threat used a zero-day vulnerability that was patched in January to collect personal user information.
Specifically, Twitter’s disclosure of the incident comes as the company is rocked by allegations from its former head of security, who filed a whistleblower complaint accusing the company of “grossly negligent” security practices.
