Twitter says it has fixed a bug that meant users weren’t logged out of active sessions on all devices after manually resetting their passwords.
Writing on its blog, Twitter said:
“We want to let you know that we recently fixed a bug that allowed Twitter accounts to stay logged in from multiple devices after a voluntary password reset. In order to help ensure the safety and security of everyone that may have been affected, we’ve proactively logged people who may have been affected out of active sessions.”
Staying logged in on multiple devices after explicitly changing an account password is a huge security risk. If someone has breached an account already, that would leave them logged in and able to impersonate the user, rummage through DMs, change the password again, and more.
Twitter says it has logged out all affected users, everywhere.
We fixed a bug that didn’t close all active logged in sessions on Android and iOS after an account’s password was reset. To keep your account safe, we logged some of you out. You can log back in to keep using Twitter.
For more details on what happened: https://t.co/OmjLKOe5bs
— Twitter Support (@TwitterSupport) September 21, 2022
Twitter says it has reached out to users who might have been affected by the bug. For everyone else, it’s business as usual.