The number of people impacted by the Twitter bug that saw private tweets posted publically for years may be bigger than thought, according to a security expert.

The bug, which was announced by the company on Thursday, saw some Android app users’ private tweets inadvertently made public when settings changes were made.

It impacted tweets sent between 3 November 2014 and 14 January 2019, and while the numbers impacted are not clear, Anjola Adeniyi, technical account manager for EMEA at Securonix, warns that they may be worse than thought.

“While Twitter may have stated those who used Twitter via an Apple device or through the web would not have been affected by the bug, it important to note Android has a larger market share therefore the affected users may be larger than expected,” he said.

“What’s worse is Twitter cannot confirm the affected users, perhaps their internal investigation will ensure no one falls through the cracks.

“Security flaws may exist in systems, but in this case Twitter may have safeguarded its users by ensuring they gave their approval or received a notice before their private tweets were exposed.”

Twitter bug highlights sharing risks of social networks

The impact Twitter bug, which involved the Protect your Tweets option, remains unclear, but highlights the risk posed in using social media to share private content – even if it appears to be secure.

“Twitter has dealt with problems like this before, last year it disclosed a bug which may have given some developers access to protected tweets and  direct messages of some users,” said Adeniyi.

“Security researchers wrote a paper in 2015 that Twitter’s geolocation ‘enables the inference of sensitive information that could be misused for a wide range of scenarios (eg: from a repressive regime de-anonymising an activist’s account to an insurance company inferring a customer’s health issues, or a potential employer conducting a background check).’

“Perhaps users should be reminded that sharing things on social media platforms like Twitter could mean sharing them with the whole world. Twitter is already under investigation for General Data Protection Regulation (GDPR) violations when it turned down a subject access request.”