Twitter said it discovered the bug in its Account Activity API (AAAPI), which lets registered developers build tools to help businesses communicate with customers. Users who interacted with accounts or businesses that relied on developers using the AAAPI may've had their direct messages or protected tweets sent to the wrong people. For example, a direct message to an airline about lost bags may've been accidentally sent to the wrong recipient.
In a statement, Twitter said it was "very sorry this happened."
The issue began last May. Twitter said it issued a fix when it discovered the problem on Sept. 10, 2018. The bug affected less than 1 percent of users, the company said.
"Any party that may have received unintended information was a developer registered through our developer program, which we have significantly expanded in recent months to prevent abuse and misuse of data," Twitter said in a statement.
The company said it'll contact people directly through an in-app notice and on Twitter's site if their account was affected by the bug.
Some users tweeted screenshots of the notifications they'd received from Twitter.
"Sorry, what ?! My DMs may have been sent to developers for a more than a year??" Mashable reporter Karissa Bell tweeted.
In a tweet, Twitter said: "We haven't found an instance where data was sent to the incorrect party. But we can't conclusively confirm it didn't happen, so we're telling potentially impacted people about the bug. If you were potentially involved, we'll contact you today. We're sorry that this happened."
In another tweet, the company emphasized that "this only involves potential interactions or Direct Messages you have had with companies using Twitter for things like customer service. Your other DMs are not involved at all."
Twitter said it reached out to developer partners to make sure they delete any information they shouldn't have.
"Our investigation is ongoing," Twitter said in the statement. "We will continue to provide updates with any relevant information."
Security: Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.