Twitter bug exposed some Android private tweets to public view

In October, after Twitter refused to give a user information about how it tracks him when he clicks on links in tweets (as is the right of EU citizens under the newly passed, sweeping General Data Protection Regulation [GDPR] privacy law), Irish privacy authorities launched an investigation into the platform’s privacy practices.

Things could get hairier still, given the major privacy glitch Twitter disclosed on Thursday.

Twitter said that it had become aware of a bug that, under certain circumstances, switched private tweets to public view in Twitter for Android. That bug went unnoticed for four years, from 3 November 2014 until last Monday.

The bug disabled the “Protect your Tweets” setting for Android users if certain account changes were made, Twitter said. Namely, Android users would be well-advised to check their settings if they changed the email address associated with their account during that time period.

This doesn’t affect iOS or web users. Twitter says it fixed the issue on 14 January.

Twitter also turned “Protect your Tweets” back on for users it knows were affected. The thing is, the company isn’t entirely sure that it got to every affected account. Hence, it posted the notice in the Twitter Help Center and is encouraging people to review their privacy settings to make sure “Protect your Tweets” is still set correctly.

Graham X. Doyle, head of communications at the Irish Data Protection Commission (DPC), told Bloomberg Law on Thursday that the commission hasn’t yet launched a formal investigation into this new security flaw, but that it’s mulling the matter:

The [DPC] has been notified of this data breach and we are currently assessing its contents.

A company violating GDPR can face fines of up to 4% of its annual revenue.

Liz Kelley, a spokesperson for Twitter, told Bloomberg that it acted “immediately” to fix the problem once it was discovered. She said that Twitter’s also working with regulators to address the issue.

Twitter hasn’t put a number on how many users were affected.