Twitter says that less than one percent of users were affected, but given there are more than 335 million active users, that could still mean the bug hit more than 3 million people. The company is informing affected users via a notice on its app and website.
The company fixed the problem after discovering it September 10th, and it determined that the bug, which affected the Account Activity API, had been active since May 2017. That API lets developers create tools for businesses to communicate with customers, and the bug could have sent those interactions (which often contain sensitive customer information) to a different developer. "In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer," Twitter said.