In tweets Thursday afternoon, Twitter's chief technology officer, Parag Agrawal, apologized for the error and said: “We are sharing this information to help people make an informed decision about their account security.”
Twitter said that it had discovered the error itself and removed the passwords. The company did not say when it discovered the bug.
In 2011, Twitter finalized a settlement with the Federal Trade Commission over allegations that the company's “serious lapses” in data security “allowed hackers to obtain unauthorized administrative control of Twitter,” according to an FTC release. As part of the settlement, Twitter must maintain a “comprehensive information security program” that will be independently assessed every other year for 10 years.
Such data security assessments, have come under scrutiny in recent weeks, following Facebook's entanglement with a political consultancy that improperly accessed the data of 87 million users. Facebook's assessments did not appear to detect the incident.