Twitter on Monday afternoon disclosed a bug that in certain conditions resulted in an account’s location data being shared with a Twitter partner — even if the user had not opted in to sharing that data. The bug only affected a portion of Twitter’s iOS user base, the company says, and they’ve since been notified of the issue.
Affected users had more than one Twitter account on iOS, and had chosen to share their precise location using the optional feature in one account. Twitter says it may have accidentally collected location data for the other account or accounts on the same mobile device, as well, even when those accounts were not similarly opted in to location data sharing.
Due to a bug in Twitter for iOS, we inadvertently collected and shared location data (at the zip code or city level). We have fixed the bug, but we wanted to make sure we shared more of the context around this with you. More here: https://t.co/n04LNt62Sa
— Support (@Support) May 13, 2019
This information was then shared during the real-time bidding process with an unnamed Twitter partner, which meant they received the unauthorized location data. Twitter notes that none of this was “precise” location data, because the data was already “fuzzed” to be only a ZIP code or city (5 km squared).
That means the data “could not be used to determine an address or to map your precise movements,” the company noted.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
In terms of those worried about their location being disclosed or generally being doxxed, Twitter assured impacted users that the partner receiving the location data didn’t also receive their Twitter handle or a unique account identifier. They wouldn’t have been able to determine your identity, the company says. And the location data was not retained by the partner, Twitter says.
According to the company’s announcement:
We have confirmed with our partner that the location data has not been retained and that it only existed in their systems for a short time, and was then deleted as part of their normal process.
We have fixed this problem and are working hard to make sure it does not happen again. We have also communicated with the people whose accounts were impacted to let them know the bug has been fixed. We invite you to check your privacy settings to make sure you’re only sharing the data you want to with us.
It’s unclear at this time when this location sharing took place, or for how long, as Twitter didn’t disclose this in its post announcing the bug. Nor did it name the partner that had possession of the data, or explain how such a bug came to be in the first place. It only said that it failed to remove the location data.
Reached for comment, Twitter told TechCrunch none of that information is going to be disclosed.
Twitter does say affected users have been notified, and anyone with questions can fill out a form to contact Twitter’s Data Protection Officer with more questions. It’s unclear to what extent the bug will result in a GDPR fine at this time, given the lack of specifics on hand.
