Twitter users are finding it harder to trust the platform by the day.
Mere weeks after Twitter’s ex-security chief Peiter “Mudge” Zatko accused the company of cybersecurity mismanagement, and Twitter’s General Manager of Consumer and Revenue Jay Sullivan dodged questions about the company’s handling of user privacy before the Senate Homeland Security Committee, Twitter has now released a blog post announcing that it never logged users out of active sessions after password resets.
That means that whoever comes in possession of a stolen device, for instance, would have complete access to a user’s account despite them changing their password.
In a blog post, Twitter admitted that this session token bug existed for a number of months undetected, explaining that it came about after a password reset update that went live last year.
To address the issue, Twitter “directly informed the people we were able to identify who may have been affected by this, proactively logged them out of open sessions across devices, and prompted them to log in again.”
Twitter, however, encouraged everyone to “check out the controls available in your settings and to review active open sessions regularly.”
If you see something out of place or would like to contribute to this story, check out our Ethics and Policy section.