Twitter logged out some users after addressing a bug where some Twitter accounts remained logged on some mobile devices after voluntary password resets.
“That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed. Web sessions were not affected and were closed appropriately,” Twitter explained.
There are some potential privacy risks for Twitter users who were affected by this bug, including having their accounts accessed by others who got their hands on devices that remained logged in without the user’s knowledge.
Because of this, the company reached out to those who might have been impacted and logged them out of their accounts on all active sessions across all devices.
“We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again,” the company added
“We realize this may be inconvenient for some, but it was an important step to keep your account safe and secure from potential unwanted access.”
We fixed a bug that didn’t close all active logged in sessions on Android and iOS after an account’s password was reset. To keep your account safe, we logged some of you out. You can log back in to keep using Twitter.
For more details on what happened: https://t.co/OmjLKOe5bs
— Twitter Support (@TwitterSupport) September 21, 2022
In July, Twitter was hit by a data breach after threat actors put up for sale a database of phone numbers and email addresses linked to 5.4 million Twitter accounts stolen in December 2021.
The vulnerability the attacker used to collect the data is one disclosed to Twitter through HackerOne on January 1st and fixed on January 13th, as first reported by Restore Privacy.
BleepingComputer verified with some of the Twitter users listed in a small sample of data shared by the hacker that the leaked private info (email addresses and phone numbers) was accurate.
One month later, Twitter confirmed the reports, saying the threat actor used the zero-day vulnerability patched in January to collect private user information.
As part of the disclosure, Twitter told BleepingComputer that they had begun sending out notifications to alert impacted users that the data breach exposed their phone numbers or email address.
Since July, hacked verified Twitter accounts are also being used to send fake but well-written suspension messages that attempt to steal other verified users’ credentials.