Private things are meant to be private. They won't anymore be that private if they can be seen by unauthorized people.
Twitter has disclosed a bug persisting from 2014 on its platform, and affected protected tweets and accounts on Android. The company said the bug was active between November 2014 and January 2019, and was capable of switching off the "Turn your tweets private" option when users made changes to their account.
Twitter said that:
You may have been impacted by this issue if you had protected Tweets turned on in your settings, used Twitter for Android, and made certain changes to account settings such as changing the email address associated with your account between November 3, 2014, and January 14, 2019.
Twitter has also notified affected users about this issue, and have turned their 'Protect your Tweets' back on if it was disabled.
"We are providing this broader notice through the Twitter Help Center since we can’t confirm every account that may have been impacted," said Twitter.
"We encourage you to review your privacy settings to ensure that your 'Protect your Tweets' setting reflects your preferences."
"We’re very sorry this happened and we’re conducting a full review to help prevent this from happening again."
It's somehow not understandable for something this egregious to went unnoticed by the company for more than four years. However, one good thing about this is that the bug didn't expose any other sensitive data besides private tweets.
Twitter has been investigated by Irish data protection authorities over its way in tracking people when they click on links. The officials that are looking for holes, are also looking into this data breach.
"The Irish Data Protection Commission (DPC) has been notified of this data breach and we are currently assessing its contents," stated the DPC.
Companies whose privacy practices are found lacking, are facing fines of up to €20 million or 4 percent of their annual global revenue from the year before, whichever is higher, under the General Data Protection Regulation (GDPR).
Twitter said that the bug only affected users using Android. Those users on iOS or the web were not impacted.
"We fixed the issue on January 14, and we'll provide updates if other important information becomes available," explained Twitter.