Twitter Privacy Center
September 21, 2022
An incident impacting password resets on Twitter
We want to let you know that we recently fixed a bug that allowed Twitter accounts to stay logged in from multiple devices after a voluntary password reset. In order to help ensure the safety and security of everyone that may have been affected, we’ve proactively logged people who may have been affected out of active sessions. We take our responsibility to protect your privacy very seriously and it is unfortunate this happened. While there is no action for you to take, we want to share more about the steps we’ve taken and best practices for keeping your account safe.
What happened
We learned of a bug that allowed some Twitter accounts to stay logged in on multiple mobile devices after a voluntary password reset. That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed. Web sessions were not affected and were closed appropriately. This bug was introduced after we made a change to the systems that power password resets last year.
We have directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again. We realize this may be inconvenient for some, but it was an important step to keep your account safe and secure from potential unwanted access.
What’s next
We encourage everyone to check out the controls available in your settings and to review active open sessions regularly. You can also review how to reset a lost or forgotten password on our Help Center.
We recognize and appreciate the trust you place in us, and are committed to earning that trust every day.