Twitter has logged out some users after fixing a bug where some Twitter accounts remained logged in on some mobile devices after voluntary password reset.

“This means that if you proactively changed your password on one device, but were still logged in on another device, that session may not have been logged off. Web sessions did not unaffected and have been appropriately closed,” Twitter Explain.

There are some potential privacy risks for Twitter users who have been impacted by this bug, including having their accounts accessed by others who have gotten their hands on devices that have remained logged in without their knowledge. ‘user.

For this reason, the company contacted those who may have been affected and logged them out of their accounts on all active sessions on all devices.

“We directly notified people we could identify who may have been affected by this, proactively disconnected them from open sessions on all devices, and encouraged them to reconnect,” the company said. added

“We realize this may be inconvenient for some, but this was an important step in protecting your account from potential unwanted access.”

We fixed a bug that did not close all active login sessions on Android and iOS after resetting an account’s password. To protect your account, we have disconnected some of you. You can log back in to continue using Twitter.

For more details on what happened: https://t.co/OmjLKOe5bs

— Twitter Support (@TwitterSupport) September 21, 2022

In July, Twitter has been affected by a data breach after threat actors put up for sale a database of phone numbers and email addresses linked to 5.4 million stolen Twitter accounts in December 2021.

The vulnerability used by the attacker to collect the data is one leaked to Twitter via HackerOne January 1 and set for January 13, as first reported by Restore Privacy.

BleepingComputer verified with some of the Twitter users listed in a small sample of data shared by the hacker that the private information disclosed (email addresses and phone numbers) was accurate.

A month later, Twitter confirmed the informationclaiming that the threat actor used the zero-day vulnerability patched in January to collect information about private users.

As part of the disclosure, Twitter told BleepingComputer that they had started sending out notifications to alert affected users that the data breach exposed their phone numbers or email address.

Since July, hacked verified Twitter accounts have also been used to send fake but well-written suspension messages that attempt to steal the credentials of other verified users.