Because of a bug in Twitter’s system, the popular social media and microblogging site announced this week that they had been inadvertently collecting and sharing location data from iOS versions of their application and sending it to a trusted partner without the consent of the affected users.
In a blog post, Twitter said that they discovered a data breach caused by a bug and they were “inadvertently collecting and sharing iOS location data with one of our trusted partners in certain circumstances.”
The said data breach specifically affected those who have been using more than one account in an iOS Twitter app while their precise location setting has been enabled.
“we may have accidentally collected location data when you were using any other account(s) on that same device for which you had not turned on the precise location feature,” Twitter wrote.
Nonetheless, Twitter clarified that none of the transmitted data were actually “precise” location data because it was already “fuzzed” to only include a ZIP code or city (5 km squared), adding that the disclosed data could not be used to map the location of the affected users.
Twitter also assured the affected users that the partner did not receive any identifiable information such as Twitter handles or other unique account IDs that could have compromised the affected user’s identity.
Furthermore, Twitter said that the inadvertent sending of users’ location data happened during a process called “real-time bidding” (RTB) with one of its “trusted advertising partner.”
“We have fixed this problem and are working hard to make sure it does not happen again. We have also communicated with the people whose accounts were impacted to let them know the bug has been fixed. We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us,” they assured their users.
As for those who are concerned whether or not their data was used by whoever received it, Twitter clarified that they had communication with their partner and found out that the advertising company did not retain the information that was unintentionally sent to them.
“We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process.”
It is still unclear when this unintentional sending of user location data nor did Twitter name who the trusted partner is in its post regarding the bug.
Reporters have reached out to Twitter to gain further insight regarding what happened, but Twitter refused to comment further than they have already posted in their announcement. On the other hand, they said that they have already notified the users who were affected by the bug problem and noted that other victims could contact Twitter by filling up this form.
“We’re very sorry this happened. We recognize and appreciate the trust you place in us and are committed to earning that trust every day.”
Twitter is not the only social media company who had an internal data vulnerability this year. It can be remembered that Facebook has been recording the passwords of some of their users in plain text, a human-readable format, that allows whoever has access to the database can read, understand, and use the user passwords included in it.
Facebook’s Pedro Canahuati, vice president of engineering for security and privacy, initially referred to “some” user passwords that were accessible to Facebook employees. A paragraph later, he revealed that “hundreds of millions of Facebook Lite users, millions of Facebook users, and tens of thousands of Instagram users” would be notified.
Facebook clarified that the issue was purely internal and that only their employees have access to the user passwords. Nonetheless, tech experts have slammed Facebook for the recklessness of what they have done.
“To be clear, these passwords were never visible to anyone outside of Facebook, and we have found no evidence to date that anyone internally abused or improperly accessed them,” Canahuati wrote.
The California-based company said that they already notified users who were affected by the problem and advised them to change their password following the rectification done by Facebook.