Twitter has revealed that last week there was a “bug” in its password recovery system that could have potentially exposed the email addresses and phone numbers of a “small number” of users. The company places this number at around less than 10,000 active accounts, all of whom have been notified today: “If you weren’t notified, you weren’t affected,” wrote Michael Coates, Twitter’s trust and info security officer.
In a blog post, the company said that it discovered the bug last week, and that it was operational for about 24 hours. Upon discovery, Twitter fixed it and concluded that no passwords or other information needed to directly access an account had been exposed.
“We take these incidents very seriously, and we’re sorry this occurred,” Coates stated. “Any user that we find to have exploited the bug to access another account’s information will be permanently suspended, and we will also be engaging law enforcement as appropriate so they may conduct a thorough investigation and bring charges as warranted.”
The company took the opportunity to also remind users about “good account security hygiene, such as requiring additional information to reset a password, using a strong password, implementing login verification, and revoking third-party app access privileges for those not recognized.