We recently published a notice about a bug related to our Account Activity API that could have resulted in data being delivered to the wrong registered developer. As part of our ongoing investigation, we have already emailed all developers who may have been impacted, and want to provide some additional details to potentially affected developers here. So far, our investigations have confirmed only one set of technical circumstances where this issue could have occurred.
For context: Based on the way the Account Activity API works, the issue itself would have involved data being sent by Twitter to the wrong registered developer’s webhook URL. This API sends data to registered developers who use the Account Activity API based on their active ‘subscriptions.’
We have validated that this bug might have occurred when all of the following technical circumstances were true during the relevant time period for this issue:
Under those circumstances, if the bug occurred, the issue (transmission of activities to the wrong webhook URL) could have persisted until one of the following conditions were met:
Our team has been working diligently with our most active enterprise data customers and partners who have access to this API to evaluate if they were impacted. Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review. Over the coming days, we will continue our investigations to include a review of our remaining enterprise partners who could have been impacted.
If you are a developer who used the Account Activity API during the relevant time period for this issue (i.e., between the date you had access to the AAAPI and Sept. 10, 2018), we hope the above information is useful in assessing whether this issue may have impacted your services. Our investigation into this issue is ongoing. We will provide any significant additional technical updates if we have them.