We haven't found an instance where data was sent to the incorrect party. But we can't conclusively confirm it didn't happen, so we're telling potentially impacted people about the bug. If you were potentially involved, we'll contact you today. We're sorry that this happened. — Twitter Support (@TwitterSupport) September 21, 2018 For those who received notifications today, this only involves potential interactions or Direct Messages you have have had with companies using Twitter for things like customer service. Your other DMs are not involved at all. — Twitter Support (@TwitterSupport) September 21, 2018

Twitter says that less than one percent of users were affected, but given there are more than 335 million active users, that could still mean the bug hit more than 3 million people. The company is informing affected users via a notice on its app and website.

Sorry, what ?! My DMs may have been sent to developers for a more than a year?? pic.twitter.com/0ry6pyZIdI — Karissa Bell (@karissabe) September 21, 2018

The company fixed the problem after discovering it September 10th, and it determined that the bug, which affected the Account Activity API, had been active since May 2017. That API lets developers create tools for businesses to communicate with customers, and the bug could have sent those interactions (which often contain sensitive customer information) to a different developer. "In some cases this may have included certain Direct Messages or protected Tweets, for example a Direct Message with an airline that had authorized an AAAPI developer," Twitter said.