We were alerted to and fixed a bug in our system that, for 94,287 protected accounts under rare circumstances, allowed non-approved followers to receive protected tweets via SMS or push notifications since November 2013. As part of the bug fix, we’ve removed all of these unapproved follows, and taken steps to protect against this kind of bug in the future.
While the scope of this bug was small in terms of affected users, that does not change the fact that this should not have happened. We’ve emailed each of these affected users to let them know about this bug and extend our whole-hearted apologies.
We also want to thank our white hat security community, a member of which helped us discover and diagnose the bug. These folks help us keep Twitter safe for everyone.
[Update, 3/24/14: The post has been updated to reflect the final number of affected accounts. It was originally stated as 93,788.]
Did someone say … cookies?