A bug affecting the permissions dialog when authorizing certain apps to Twitter leaves direct messages exposed to the third-party without the user ever knowing about it. Terence Eden discovered the issue and reported it to Twitter through the HackerOne bug bounty platform. The disclosure earned him a reward of $2,940. Twitter fixed the issue on December 6, announced the bounty payment and informed the researcher that he could publish the details of his report. The issue was accepted on the same day after providing clarifications and demonstrating the privacy violation problem.
Source: https://www.bleepingcomputer.com/news/security/twitter-fixes-bug-that-gives-unauthorized-access-to-direct-messages/