Twitter said on Wednesday that some users have been logged out of their active sessions in response to a bug that posed a security risk.
The issue was related to password resets — when users reset their password, their active sessions on Android and iOS devices were not closed. Impacted users have been directly notified.
“We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset. That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed,” Twitter explained.
The company said users do not have to take any action — except to log back into their account if they were signed out — and noted that web sessions were not impacted. It explained that the bug was introduced last year as a result of a change to systems powering password resets.
In August, the social media giant admitted that a vulnerability in its software had exposed the identities of anonymous account owners — some users, such as human rights activists, might not want to disclose their identities for security reasons.
The confirmation came following reports of 5.4 million users’ data being offered for sale. Twitter said at the time that the vulnerability was patched earlier this year, but it was likely exploited before it was fixed.
Twitter has come under fire after its former security chief Peiter Zatko brought to light some major issues. He said the social media giant has ignored significant user data protection problems, accusing executives of putting profit ahead of security.
The company was also recently ordered to pay a $150 million penalty for failing to protect the privacy of users’ data.
Related: Twitter Says it Removes 1 Million Spam Accounts a Day
Related: Musk Ditches Twitter Deal, Triggering Defiant Response
Related: Twitter Users Can Now Secure Accounts With Multiple Security Keys
Related: Whistleblower: China, India Had Agents Working for Twitter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
Latest News
- UK Introduces Mass Surveillance With Online Safety Bill
- Musk, Scientists Call for Halt to AI Race Sparked by ChatGPT
- Malware Hunters Spot Supply Chain Attack Hitting 3CX Desktop App
- LeapXpert Banks $22M Funding to Secure Corporate Messaging With Consumer Apps
- Blockchain Security Firm True I/O Raises $9 Million
- Spera Banks $10 Million to Tackle Identity and Access Sprawl
- OpenAI Patches Account Takeover Vulnerabilities in ChatGPT
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
