Twitter is alerting Vine users of a bug that exposed their email addresses and, in some cases, phone numbers to third parties. It’s also advising affected users to be cautious about any emails from unknown senders as a result. The company says the bug was only active for 24 hours before being patched, and doesn’t believe that the data was misused in any way, at this time.
To be clear, Twitter was not hacked nor is this considered a data breach – instead, the email address or phone number the company had on file for some Vine users was only available under certain circumstances, the company says.
The company declined to officially comment on the specifics of how the bug was discovered or how it may have been seen by third parties, but we understand that this data was not published on the Vine archive website where anyone on the public internet could have seen it. Instead, if anyone was to have seen the data at the time of exposure, they would have had to do so through a more technical means – such as using an API to pull the information.
Twitter is only alerting users out of a desire to be transparent in disclosing the vulnerability, not because they believe that anyone actually captured the user data or misused it in any way.
In addition, Twitter says that the exposed emails or phone numbers would not have allowed a third party to access someone’s Vine account because passwords were not exposed as a part of this incident.
Emails are now going out to affected users, and will be personalized in terms of whether the user had only their email, only their phone number, or both exposed during the time the vulnerability was live.
Twitter declined to how many users or what percentage of the Vine user base was impacted.
We understand that this issue would not have affected Twitter users who didn’t also have Vine accounts, though.
Once a fairly popular social app, Vine was effectively shut down at the beginning of the year, but the company continues to maintain an online archive of Vine videos and a basic utility for those users who want to still make short, looping video clips.
However, the fact that these resources remain online even when Vine is no longer a priority for the company means there’s still potential for things like this security incident to occur. Despite Twitter’s obvious interest in keeping the archive available for the Vine users and fandom, it may have been better for Twitter to have fully shuttered the site so engineering resources wouldn’t have to be diverted to its ongoing maintenance.
Twitter says users do not need to reset passwords on their Vine accounts, but should be aware that any official communications from Vine will come from an @twitter.com email address. Twitter will also never ask you via email to open an attachment or request your password, it says.