Twitter says it has fixed a bug that resulted in a user’s approximate location information being shared with an unnamed Twitter partner.
“We have discovered that we were inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances,” the company said in a blog post.
According to the post, the bug only affected iOS users of its Twitter app who had a second account on their phones. So if users had allowed Twitter to access precise location data on one account, the setting would automatically be applied to the other account(s), even when they did not opt in to location data sharing.
Due to a bug in Twitter for iOS, we inadvertently collected and shared location data (at the zip code or city level). We have fixed the bug, but we wanted to make sure we shared more of the context around this with you. More here: https://t.co/n04LNt62Sa
— Twitter Support (@TwitterSupport) May 13, 2019
Twitter also noted that the collected information was then shared with a trusted partner for purposes of serving ads through a process called real-time bidding, but assuaged any privacy concerns by stating the location data was “fuzzed” to reduce its accuracy to the nearest zip code or city, and that the partner that inadvertently received the location data didn’t also receive their Twitter handle or unique account identifier.
“We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process,” it stated on the help site.
Although Twitter didn’t tell when the data sharing took place, the social media company said it has already notified impacted users, and urged users to revisit their privacy settings in light of the security incident.
It’s also worth noting that this security issue is Twitter’s fourth bug in the past year.
Last September, a bug in Twitter API accidentally exposed private messages and protected tweets to developers not authorized to read them.
In December, it notified that “state-sponsored actors” may have exploited a vulnerability in its online support form to obtain the country code of a user’s phone number and determine whether or not the account had been locked by Twitter.