The users were in countries like France, Greece and Turkey, and some of them were politicians and officials. TechCrunch found a senior Israeli politician, for instance.
Balic didn't notify Twitter, but did warn some users directly. Twitter blocked his effort on December 20th and hasn't publicly acknowledged the flaw so far. We've asked Twitter for comment.
This hasn't been Twitter's best year in terms of security. On top of the two most recent flaws, it accidentally shared location data and acknowledged that phone numbers might have been used for ad targeting. While major damage hasn't ensued from these incidents, it's clear Twitter will have to put in some effort if it's going to reassure users.
Update 12/24 6:25PM ET: Twitter spokeswoman Aly Pavela said the company took reports like this "seriously" and that it was "actively investigating" the bug. It blocked the activity by suspending the accounts used to get people's information. You can read Twitter's full statement below.
To no one's surprise, the company also said that it wasn't thrilled with Balic's approach. In addition to disclosing to a media outlet rather than Twitter, he accomplished the feat using hundreds of fake accounts with over 50 active Android sessions each. Given that Twitter already spends a lot of energy taking down fake accounts, it probably doesn't want any more messes to clean up.
"We take these reports seriously and are actively investigating to ensure this bug can't be exploited again. When we learned about this bug, we suspended the accounts used to inappropriately access people's personal information. Protecting the privacy and safety of the people who use Twitter is our number one priority and we remain focused on rapidly stopping spam and abuse originating from the use of Twitter's APIs. "