Twitter said on Wednesday that some users have been logged out of their active sessions in response to a bug that posed a security risk.
The issue was related to password resets — when users reset their password, their active sessions on Android and iOS devices were not closed. Impacted users have been directly notified.
“We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset. That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed,” Twitter explained.
The company said users do not have to take any action — except to log back into their account if they were signed out — and noted that web sessions were not impacted. It explained that the bug was introduced last year as a result of a change to systems powering password resets.
In August, the social media giant admitted that a vulnerability in its software had exposed the identities of anonymous account owners — some users, such as human rights activists, might not want to disclose their identities for security reasons.
The confirmation came following reports of 5.4 million users’ data being offered for sale. Twitter said at the time that the vulnerability was patched earlier this year, but it was likely exploited before it was fixed.
Twitter has come under fire after its former security chief Peiter Zatko brought to light some major issues. He said the social media giant has ignored significant user data protection problems, accusing executives of putting profit ahead of security.
The company was also recently ordered to pay a $150 million penalty for failing to protect the privacy of users’ data.
Related: Twitter Says it Removes 1 Million Spam Accounts a Day
Related: Musk Ditches Twitter Deal, Triggering Defiant Response
Related: Twitter Users Can Now Secure Accounts With Multiple Security Keys
Related: Whistleblower: China, India Had Agents Working for Twitter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
- Apple Patches Exploited iOS Vulnerability in Old iPhones
- FBI Confirms North Korean Hackers Behind $100 Million Horizon Bridge Heist
Latest News
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
- Tenable Launches $25 Million Early-Stage Venture Fund
- 820k Impacted by Data Breach at Zacks Investment Research
- Mapping Threat Intelligence to the NIST Compliance Framework Part 2
- Hive Ransomware Operation Shut Down by Law Enforcement
- US Government Agencies Warn of Malicious Use of Remote Management Software
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
