Earlier today, Twitter sent a message to a large number of users informing them about an API bug. According to the company, it identified a bug on September 10 that potentially allowed direct messages and protected accounts to be read by "Twitter developers who were not authorized to receive them."
Twitter went into more detail about the bug on its Developer Blog, explaining that it could have allowed data to be sent to the wrong developer's webhook URL (the mechanism that some Twitter applications use to retrieve data). For this to occur, two or more registered developers had to share API subscriptions tied to the same public IP, URL paths had to match exactly across those IPs, and the information sent to developers had to originate from the same server in Twitter's datacenter.
Because all those conditions had to be true (at the same time) for the bug to occur, it seems unlikely that it was taken advantage of by malicious developers. Twitter says it has found no evidence of such behavior so far, but the company is still undergoing an investigation.
- Twitter Developer Blog