A bug in Twitter’s API inadvertently exposed some users’ direct messages and protected tweets to unauthorized third-party app developers. The bug was present for more than a year before Twitter discovered it and patched it on September 10. Twitter says it has not yet discovered any evidence that a wrong developer received DMs or protected tweets. The company is working with developers who received the data and is “working with them to ensure that they are complying with their obligations to delete information they should not have,” Twitter says.
Source: https://thehackernews.com/2018/09/twitter-direct-message-api.html