Twitter user Orli Yakuel, with 650 followers, had a nasty surprise this morning - her direct messages (private messages between two Twitter users) showed up in her normal Twitter stream (and were subsequently published to her FriendFeed account). Friends messaged her to tell her about the embarrassing issue.
At first she tried to delete the private messages and posted the notice above, but she then simply deleted her entire Twitter account (it was here). I saw it before deletion, however, and it clearly contained very private messages, exposed to anyone who went to her page. One user messaged her that it had happened to him as well, but I have not verified it personally.
We’re seeing an increasing trend of privacy issues pop up around new web applications and all this distributed data.
It’s the middle of the night, so I’m not going to get a response from Twitter on this until morning. If you want to delete private messsages, click on the Direct Messages link in Twitter on the right sidebar area. You have to delete them one at a time.
Orli’s blog is here, and she also created the Web 2.0 Directory website.
Update: It looks like this is a problem caused by GroupTweet, a newish third party Twitter application that allows users to direct message a lot of people at once. Orli says that she tested the application earlier today, and a number of commenters are pointing out that it may be the problem. GroupTweet requires you to create a new Twitter account to use with the service, and tell it the credentials for the account. But if you accidentally enter your primary account credentials instead, it will expose your direct messages to the public. This is not a Twitter API issue as far as I can tell, it’s a problem with the fact that GroupTweet is confusing and if you make a mistake, your direct messages are made public. This is particularly an issue for non-native English users when using it. I could have very easily made this mistake when testing the application.
Update 2: New registrations for GroupTweet are being disabled by the founder “until this is sorted out.”
See all
Post
Saw it happening, very very frightening
My twitter site millionairemoms has this bug. How annoying!!!
Yes I saw it too..I think it is some sort of a bug and will get fixed soon.
must be pretty scary for some people
Poor Twitter. They must really be struggling with the scale issues. So many random marking blogger types are signing up for accounts and following half the twitterverse.
I think there is a fundamental question here, twitter is Queue driven internally - how the hell did direct messages even make it into the same Queue/DB as regular timeline updates?
Using Twitter for private conversation is asking for trouble.
It seems all major web apps have to go through some sort of privacy scandal these days… Let’s hope Twitter handles this better than Facebook did by providing a more immediate explanation and public apology.
Wasn’t it just GroupTweet (http://grouptweet.com)? I once saw somebody who misunderstood the site and put their own credentials in there, which exposed a couple of DM’s.
this is really scary…. not again twitter please =(
that’s more of a sh!tter than twitter. Yikes, some serious embarrassment for twitter and a potential disaster for users.
(thinking aloud) Wonder what the proportion of direct messages is to broadcasts…
Must be a bug specific to certain users … here it seems to work fine (private messages do not show up in public stream: http://twitter.com/tunesbag
I don’t think that posting anything that should be private on twitter is really wise. This platform was meant to be public in the first place. It still is interesting how could it get messed up. One thing for sure - twitter is a scalability case study for the whole web 2.0
Wow. That’s pretty bad for twitter. But I guess this just highlights a general issue of the whole web 2.0 trend. Who can I trust with my personal information. If it’s not on my own machine, I’m just out of luck, if something goes wrong.
try to avoid using ‘grouptwitter’ on an active account - this has a similar effect - in that is just turns out ALL of your direct personal messages into the public timeline - as i found out last week - not good at all.
twitter has become a great micro blogging social network - despite being as flaky as hell sometimes, having something like this happen to your personal messages is clearly not good for their ability to manage data - nor maintain a basic level of privacy and protection for the users.
imagine the private messages of @1938media and Shel Israel - man that would make interesting reading
dailytwitter
That’s a pretty fundamental privacy issue if ever I saw one - I’m glad I’ve never even sent a DM on twitter.
Surprise but no surprise…
BTW, Don’t use Twitter services that ask you your password. They’ll be able to do this kind of stuff, by accident most likely.
Twitter makes it quite clear that users can expect privacy when direct messaging:
http://help.twitter.com/index......#038;id=15
Has happened to a twitter user in India also : gauravonomics
this is interesting, we are investing a lot of time and effort, and clearly personal information into services that are completely free and without any guarantee of performance, security or trust - when these free services all fall over we complain and create a fuss over something which was free to begin with and we took at face value.
What would you do if Yahoo! just trashed all your mail - what re-course do you have? This would make for an interesting litigation in the case of a celeb with money - would the provider of the channel to market be prosecuted?
any thoughts?
dailytwitter
using ‘www.grouptweet.com’ also has the same effect on your account - i dont know if you guys caught this one? It just exposes your entire private message history - as i know from experience.
dailytwitter
Might be it’s time to rewrite their “private message in several ways” to
“message private in several ways”
This is perhaps the first, but not the last “privacy” issue that we will hear about, but not just on twitter. The entire concept of private spheres and public spheres is morphing before our eyes, and those of us on twitter and other “life-following” services (especially QIK and Viddler) are participating in this grand experiment. It seems like transparency is inevitable, but nevertheless it is a scary surprise sometimes.
You don’t have to delete them one at a time if you’re using a multi-tabbed browser (or at least I didn’t on firefox). Hold down the ctrl key (or the mac equivalent that opens a link in a new tab) throughout clicking on the various trash icons and OK messages and you can more than one in a go.
I can only hope it was an effect of using Grouptweet, as this is a major major blow to twitter if it’s a native fault.
And also to 22 above, we may be seeing a meld of the public and private spheres, but no matter how much of our personal lives we’re willing to put up to public scrutiny, there’s always the “intimate” sphere, which we’ll never share in that way.
If GroupTweet can expose the DM stream, then surely that’s an issue with the Twitter API isn’t it? Why would they build that ability into their API?
This is why you never give out your credentials for one site to another site.
It is quite scary - in fact there are a lot of bugs that have been surfacing the past few weeks - i sincerely hope the developers are working fast enough - i know they are working hard but speed is of the essence
My wishes with you guys - GodSpeed!!
p
see update. still digging on this.
If you don’t want it on the front page of the New York Times, then don’t put it in Twitter. Of course, I don’t know what we’ll say when there is no front page of the New York Times.
GroupTweet needs to, at the VERY LEAST, make it much clearer on their site to NOT enter your twitter credentials.
I only use DM when its a conversation that should be taken offline but if by chance it ended up in my public feed would cause harm or embarrassment.
This is pretty bad. I hope that 3rd party application is banned to be used by Twitter, or is made non-functional by twitter - at least until the bug gets fixed. I use twitter to update my blog readers via its public message. Haven’t used private messages yet, and wont be doing so using group tweet.
http://www.mrfeedback.net
My recommendation: go nowhere near the grouptweet site for now.
I have to agree with Martin Jamieson, if Grouptweet can get your private messages through the API then there is already something wrong with Twitter. I wonder if the API even shows any difference between private messages & regular tweets …
When I read the Grouptweet homepage, it seemed quite clear to me you shouldn’t enter YOUR twitter details but have a special group one set up.
Raja - this isn’t a “bug” as far as I can tell, it’s simply how grouptweet works if you tell it your twitter credentials, instead of the new twitter account credentials that you are supposed to create for the application.
This scared the hell out of me!
GroupTweet is done for. Does anyone think you can actually recover from this?
Wow! I see a lot of dirty laundry being exposed! Scandals galore!
Hope lessons learned all around. Never say anything that you may regret later! This goes for public and private!
One immediate problem with GroupTweet is that it appears to monitor sent as well as received direct messages (it should only monitor received, even when working normally). But, frankly, it’s a dangerous application if in fact it is the cause of all this.
Someone needs to build a better service. These guys are NOT ready for primetime.
http://www.tech-exposed.com
Wow, they’ve really dropped the ball on this one. People will remember this for sometime to come.
how unpleasent the situation may be, I still see Grouptweet as a good initiative. Especially in combination with SMS it is a powerfull tool!
Even if Grouptweet has a problem, the idea seems sound. Is there a better way to do it? It’s less than a month old, no? Once the dust settles, I’d say it’s something to revive in a secure, transparent way.
Thats the Fun part of Twitter. It is an amalgamation of applications!
The Twilight Zone! Now you see it, now you don’t.
knackerdhack -
it looks to me like grouptweet could be built on the Twitter API without this risk. See: http://groups.google.com/group.....umentation
maybe it’s time Orli gets a life
“I have to agree with Martin Jamieson, if Grouptweet can get your private messages through the API then there is already something wrong with Twitter.” Ditto that… but more importantly…
Did you know that if your Twitter DM goes over 140 Characters it winds up on the Public Timeline?!? I’ve had it happen to me.
What happened here is a FAIL for GroupTweet but what happened to me is a big fat FAIL for Twitter.
I think one of the hallmarks of good journalism is getting the facts straight before posting a story. In this case, the desire for an exclusive has clearly overridden the requirements of gathering facts.
It could be said that publicising the story allowed the true story to come to light, but that only emphasises how the original report should have been more carefully phrased. The headline is still confusing people.
Yeap! the antisocial part of the social networks…
Techcrunch has become TechTwitter. All the time just news of Twitter
Twitter everywhere
I think some are missing the point of having a full API. There is absolutely _no_ fault for Twitter in this case. They’ve implemented an API that basically would allow you to completely recreate their website in a client of your own whether it be desktop or web. That’s allowing _your_ data to run free.
GroupTweet should have read the specification more carefully and users need to think twice about who they give their credentials to. If you give out the keys to your house to strangers, don’t be surprised when your stuff is gone.
James - no.
this is exactly what blogging is supposed to be.