Twitter has disclosed a bug that allowed accounts to stay logged in from multiple devices after a voluntary password reset, putting users’ data at potential hacking risk.
The company said that it has fixed the bug that didn’t close all active logged-in sessions on Android and iOS devices after an account’s password was reset.
“If you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed. Web sessions were not affected and were closed appropriately,” the micro-blogging platform said in a statement late on Wednesday.
This bug was introduced after Twitter made a change to the systems that power password resets last year.
“To keep your account safe, we logged some of you out. You can log back in to keep using Twitter,” said the company.
Twitter said it has directly informed the people who may have been affected by this bug, “proactively logged them out of open sessions across devices, and prompted them to log in again”.
The incident happened as Twitter is facing larger scrutiny from the government after its former head of security, Peiter ‘Mudge’ Zatko, claimed that the company hid negligent security practices, misled federal regulators about its safety, and failed to estimate the number of bots on its platform.