Privacy Disaster At Twitter: Direct Messages Exposed (Update: GroupTweet Is Likely Culprit)

Twitter user Orli Yakuel, with 650 followers, had a nasty surprise this morning – her direct messages (private messages between two Twitter users) showed up in her normal Twitter stream (and were subsequently published to her FriendFeed account). Friends messaged her to tell her about the embarrassing issue.

At first she tried to delete the private messages and posted the notice above, but she then simply deleted her entire Twitter account (it was here). I saw it before deletion, however, and it clearly contained very private messages, exposed to anyone who went to her page. One user messaged her that it had happened to him as well, but I have not verified it personally.

We’re seeing an increasing trend of privacy issues pop up around new web applications and all this distributed data.

It’s the middle of the night, so I’m not going to get a response from Twitter on this until morning. If you want to delete private messsages, click on the Direct Messages link in Twitter on the right sidebar area. You have to delete them one at a time.

Orli’s blog is here, and she also created the Web 2.0 Directory website.

Update: It looks like this is a problem caused by GroupTweet, a newish third party Twitter application that allows users to direct message a lot of people at once. Orli says that she tested the application earlier today, and a number of commenters are pointing out that it may be the problem. GroupTweet requires you to create a new Twitter account to use with the service, and tell it the credentials for the account. But if you accidentally enter your primary account credentials instead, it will expose your direct messages to the public. This is not a Twitter API issue as far as I can tell, it’s a problem with the fact that GroupTweet is confusing and if you make a mistake, your direct messages are made public. This is particularly an issue for non-native English users when using it. I could have very easily made this mistake when testing the application.

Update 2: New registrations for GroupTweet are being disabled by the founder “until this is sorted out.”