Twitter bug that made your private tweets public went unnoticed for over 4 years

Image: Aytac Unal/Anadolu Agency/Getty Images

Twitter users with an Android device should double- check their accounts, especially if they sent a tweet sometime between 2014 and 2019.

In a on the Twitter help forum on Thursday, the social network disclosed details surrounding a privacy bug that affected Twitter for Android users with protected tweets. 

According to Twitter, if a user enabled “Protect your Tweets” in their settings, used the Twitter for Android app, and made other updates to their account settings, it’s possible that the protected tweets setting was disabled without users’ knowledge. One example provided by Twitter of an account settings change that could have triggered the bug is a change to an account’s email address.

Twitter says the security flaw affected Android for Twitter users between Nov. 3, 2014 and Jan. 14, 2019. Twitter for iOS and web users were not impacted by the issue.

In its disclosure, the company said they reached out to users whose settings were changed due to the bug. However, Twitter is urging all Twitter for Android users to check their settings, as the company cannot confirm every account that the privacy flaw affected.

In a statement to Mashable, Twitter clarified that the users who could be affected would have had to change their settings (such as the account’s email) within Twitter for Android. 

The protected tweets feature allows users to lock down their Twitter accounts to the public. The user’s tweets are only shown to the account’s followers. Those who try to follow the account must first be approved by the user. Accounts with protected tweets cannot be retweeted. The now-fixed protected tweets issue would have made a user’s tweets publicly visible and allow any user to retweet or follow the account.

The timing of the bug’s discovery could not have come at a more inopportune time for Twitter. The company is already under investigation for General Data Protection Regulation (GDPR) violations. The sweeping EU privacy law gives its citizens the right to request their personal data from companies. When Twitter from a researcher looking for data related to the service’s short URL, the Irish Data Protection Commission (DPC) opened an investigation.

The DPC is aware of this Twitter for Android privacy issue, according to . Officials are currently looking into the matter and have not yet opened a second investigation into the company.

Under the GDPR, a company violating the law can face fines of up to 4 percent of its annual revenue. Twitter $758 million in revenue during the third quarter of 2018 alone.