Twitter has fixed an issue that allowed accounts to stay logged in on multiple devices even after resetting their passwords. This means that if an unauthorized party was able to gain access to a user’s Twitter account, they would remain logged in even after the user reset their password and logged out. The user who chose to perform a voluntary password reset could have been concerned their account had been compromised, making the flaw a serious issue. It is not clear how long this flaw has existed or how many users could have been impacted.
Twitter has claimed that the issue could have appeared after it made a change to the systems that power its password reset functions last year. Twitter stated that it directly informed users that the company was able to identify as potentially affected by the attack. Twitter then logged them out of all sessions across all devices. Twitter users may want to proactively log out of all active sessions and reset passwords across their devices just in case they were impacted by the flaw. Twitter stated that users should be monitoring active sessions on a daily basis.