Twitter bug disclosed some users’ location data to an unnamed partner

Twitter on Monday afternoon disclosed a bug that in certain conditions resulted in an account’s location data being shared with a Twitter partner — even if the user had not opted in to sharing that data. The bug only affected a portion of Twitter’s iOS user base, the company says, and they’ve since been notified of the issue.

Affected users had more than one Twitter account on iOS, and had chosen to share their precise location using the optional feature in one account. Twitter says it may have accidentally collected location data for the other account or accounts on the same mobile device, as well, even when those accounts were not similarly opted in to location data sharing.

This information was then shared during the real-time bidding process with an unnamed Twitter partner, which meant they received the unauthorized location data. Twitter notes that none of this was “precise” location data, because the data was already “fuzzed” to be only a ZIP code or city (5 km squared).

That means the data “could not be used to determine an address or to map your precise movements,” the company noted.

In terms of those worried about their location being disclosed or generally being doxxed, Twitter assured impacted users that the partner receiving the location data didn’t also receive their Twitter handle or a unique account identifier. They wouldn’t have been able to determine your identity, the company says. And the location data was not retained by the partner, Twitter says.

According to the company’s announcement:

We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process.

We have fixed this problem and are working hard to make sure it does not happen again. We have also communicated with the people whose accounts were impacted to let them know the bug has been fixed. We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us.

It’s unclear at this time when this location sharing took place, or for how long, as Twitter didn’t disclose this in its post announcing the bug. Nor did it name the partner that had possession of the data, or explain how such a bug came to be in the first place. It only said that it failed to remove the location data.

Reached for comment, Twitter told TechCrunch none of that information is going to be disclosed.

Twitter does say affected users have been notified, and anyone with questions can fill out a form to contact Twitter’s Data Protection Officer with more questions. It’s unclear to what extent the bug will result in a GDPR fine at this time, given the lack of specifics on hand.