Today Twitter alerted select users affected by a November bug with one of its support forms. So far the company has declined to provide an estimate for how many accounts potentially had data exposed.
Unlike that big Facebook breach, and the Facebook photos bug, and the Google+ bug, and then the second Google+ bug, and the time an Amazon employee shared customer email addresses, and then more email addresses leaked but it was called a “technical error,” Twitter’s issue exposed considerably less personal information: just the country code of accounts which had an associated phone number, “as well as whether or not their account had been locked,” according to the language of the popover.
Still, there’s no good version of a data leak, and this information could be used to pursue whistleblowers by foreign actors, TechCrunch notes. Worryingly, Twitter claims it spotted “unusual activity” around this specific support form, involving “a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia”—countries not known for their positive treatment of dissidents.
“No action is required by you and we have resolved the issue,” Twitter’s popover claims. Why Twitter waited more than a month to inform users their personal information—even relatively low value information like a country code—is unclear.
Twitter pointed Gizmodo towards a help center post which largely reprints the text of the popover notice, but declined to provide comment beyond that.