Twitter has revealed that a “security incident” caused private tweets sent to Twitter circles to be publicly broadcast to users outside the circle.
Twitter Circle is a feature released in August 2022 that allows users to send tweets to a small circle of people, promising to keep them private from the public.
“Twitter Circle is a way to tweet to select people and share your thoughts with a smaller audience,” it reads. Description of Twitter privacy function.
“You choose who is in your Twitter circle, and only people you add can reply to and interact with Tweets you share in the circle.”
However, around April 7, Twitter users began warning that tweets to Twitter circles were no longer private and publicly shown to people outside the circle in their feeds.
In a notification sent yesterday to affected users, Twitter says a “security incident” caused Twitter Circle’s private tweets to be posted publicly.
“We are contacting you because your Twitter account may have been potentially impacted by a security incident that occurred earlier this year (April 2023),” reads a security incident notification sent by Twitter yesterday.
“In April 2023, a security incident may have allowed users outside your Twitter circle to see tweets that would otherwise have been restricted to the circle you were posting to. This issue has been identified by our security team and immediately Fixed so these tweets were no longer visible outside of your circle.”
“We have conducted a thorough investigation to understand how this happened and have resolved this issue. Twitter is committed to protecting the privacy of individuals who use our service, and we understand the risks that an incident like this can introduce and we deeply regret it happened.”
Although Twitter has not shared the cause of this security incident, the social site has quickly changed platforms since Elon Musk took over.
Many of these changes revolved around increasing tweet exposure through Twitter’s recommendation algorithm, which musk said end of March would be updated every 28-48 hours.
BleepingComputer has reached out to Twitter to learn more about the security incident and will update the article if we receive a response.