Twitter has updated users about a bug related to its Account Activity API which meant private messages intended for individuals or brands may have ended up in the wrong hands.
The firm said the security glitch "could have resulted in data being delivered to the wrong registered developer.
However, it added that the exposure had impacted less than 1% of direct messages senders.
In revealing the issue, Twitter said it had persisted since May 2017.
"We haven't found an instance where data was sent to the incorrect party. But we can't conclusively confirm it didn't happen, so we're telling potentially impacted people about the bug. If you were potentially involved, we’ll contact you today. We’re sorry that this happened," the company wrote in a statement.
"Our team has been working diligently with our most active enterprise data customers and partners who have access to this API to evaluate if they were impacted.
"Through our work so far, and the information made available to us by our partners, we can confirm that the bug did not affect any of the partners or customers with whom we have completed our review.
"Over the coming days, we will continue our investigations to include a review of our remaining enterprise partners who could have been impacted."