Twitter has disclosed affecting the accounts of an unspecified number of users who opted to reset their passwords. According to the company, a “bug” introduced sometime in the last year prevented Twitter users from being logged out of their accounts on all of their devices after initiating a password reset.
“if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed,” Twitter explains in a brief blog post. “Web sessions were not affected and were closed appropriately.”
Twitter says it is “proactively” logging some users out as a result of the bug. The company attributed the issue to “a change to the systems that power password resets” that occurred at some point in 2021. A Twitter spokesperson declined to elaborate on when this change was made or exactly how many users are affected. “I can share that for most people, this wouldn’t have led to any harm or account compromise,” the spokesperson said.
While Twitter states that “most people” wouldn’t have had their accounts compromised as a result, the news could be worrying for those who have used shared devices, or dealt with a lost or stolen device in the last year.
Notably, Twitter’s disclosure of the incident comes as the company is reeling from allegations from its former head of security who had filed a whistleblower complaint accusing the company of security practices. Twitter has so far to address the claims in detail, citing its ongoing with Elon Musk. Musk the whistleblower allegations in his legal case to get out of his $44 billion deal to buy Twitter.