As reported by Bleeping Computer, Twitter logged out some users after addressing a bug where some Twitter accounts remained logged on some mobile devices after voluntary password resets. “That means that if you proactively changed your password on one device, but still had an open session on another device, that session may not have been closed. Web sessions were not affected and were closed appropriately,” Twitter explained.
There are some potential privacy risks for Twitter users who were affected by this bug, including having their accounts accessed by others who got their hands on devices that remained logged in without the user’s knowledge. Because of this, the company reached out to those who might have been impacted and logged them out of their accounts on all active sessions across all devices.
Password resets are often a reaction to a compromised account, or if another account has the same reused password, but it is worrying if those passwords still allow access from devices which may have been stolen. Although the bug has been patched it remains vital that all accounts are set up with 2FA and devices are secured. It is therefore important to have passcode locks on all devices such as phones and tablets to minimise the attack entry point and to make sure you can remotely wipe devices if they are lost or stolen.