Twitter disclosed a security issue on Thursday that had exposed protected tweets on Android devices – for more than four years.
According to the social media giant, if Twitter users on the Android operating system made specific changes to their account settings – like changing the email address associated with their account – over the last four years, the “Protect Your Tweets” setting became disabled. That means that personal Twitter accounts with tweets intended to be for private audiences were actually open to the public.
“You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019,” said Twitter in a Thursday post.
Twitter said that it has fixed the issue as of Jan. 14 and has informed the users who were impacted. People using Twitter on their iOS devices are not impacted.
Twitter did not respond to further request for comment from Threatpost about how many users were impacted.
It’s only the most recent incident where Twitter has found itself in hot water for issues in its platform that exposed users’ tweets, direct messages – and even passwords.
In December, Twitter patched a flaw that enabled bad actors to pull the country codes of accounts’ phone numbers – and revealed that several IP addresses located in China and Saudi Arabia may have been trying to access the exposed data. Another issue, disclosed in December, allowed several apps to read users’ direct messages – even when they told users that they wouldn’t.
In May, a bug caused account passwords to be stored in plain text in an internal log; and in September, a flaw was disclosed that enabled software developers to read users’ private direct messages.
Twitter’s latest incident also comes as Apple CEO Tim Cook called on both the tech industry and the U.S. government to hold technology to a higher standard when it comes to data privacy and security on varying platforms.
The Apple executive on Wednesday called on Congress to pass “comprehensive federal privacy legislation” that would effectively regulate the collection of personal data, increases transparency around how and why data is collected, enables the right to access and delete personal data, and amps up data security.
To further check the preferences set for “Protect your Tweets,” Twitter users can review their privacy settings on their Twitter app.
“We recognize and appreciate the trust you place in us, and are committed to earning that trust every day,” said Twitter in its statement. “We’re very sorry this happened and we’re conducting a full review to help prevent this from happening again.”
Interested in learning more about data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expert Chris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.