In an update earlier this week, the social media company explained that the bug meant users who proactively changed their passwords on one device may have still been able to access open sessions on other screens.
It is important to note that users who choose password resets voluntarily may be doing so because they’re concerned their account has been compromised.
In simple terms, the bug meant that a threat actor who was able to access an account in some way would have continued to be able to do so even after such a reset.
It’s been made unclear exactly how long users have been exposed in this way, but Twitter explained that the issue appeared after it made a change “last year” to the systems that power its password reset functionality.
“We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again,” the firm explained.
“We realize this may be inconvenient for some, but it was an important step to keep your account safe and secure from potential unwanted access.”
There is questionable doubt over whether Twitter has notified all those affected. It may be possible that users may want to proactively log out of their account and/or reset passwords across their devices in any case.
Users have been encouraged by the social media giant to familiarize themselves with the security controls available in their settings and to review active open sessions regularly.
“You can also review how to reset a lost or forgotten password on our Help Center,” it added.
An observation shows that Twitter has been in the security news this year for all the wrong reasons.
For instance, it was reported in May that they agreed to pay a $150m fine to settle a federal privacy suit over privacy data violations, while a few months later a former CSO blew the whistle on an alleged litany of security vulnerabilities and mismanagement at the firm.