Twitter said on Wednesday that some users have been logged out of their active sessions in response to a bug that posed a security risk.
The issue was related to password resets — when users reset their password, their active sessions on Android and iOS devices were not closed. Impacted users have been directly notified.
“We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset. That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed,” Twitter explained.
The company said users do not have to take any action — except to log back into their account if they were signed out — and noted that web sessions were not impacted. It explained that the bug was introduced last year as a result of a change to systems powering password resets.
In August, the social media giant admitted that a vulnerability in its software had exposed the identities of anonymous account owners — some users, such as human rights activists, might not want to disclose their identities for security reasons.
The confirmation came following reports of 5.4 million users’ data being offered for sale. Twitter said at the time that the vulnerability was patched earlier this year, but it was likely exploited before it was fixed.
Twitter has come under fire after its former security chief Peiter Zatko brought to light some major issues. He said the social media giant has ignored significant user data protection problems, accusing executives of putting profit ahead of security.
The company was also recently ordered to pay a $150 million penalty for failing to protect the privacy of users’ data.