The revelation led to Twitter stock dropping nearly 7 per cent on Monday.
In a statement, Twitter said it discovered the bug on November 15 and fixed it a day later.
“During our investigation, we noticed some unusual activity involving the affected customer support form API. Specifically, we observed a large number of inquiries coming from individual IP addresses located in China and Saudi Arabia,” said the micro-blogging platform, used by over 336 million users, on one of its support forms.
“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors,” Twitter warned.
The bug, said the company, could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.
Twitter locks an account if it appears to be compromised or in violation of its rules or Terms of Service.
“Importantly, this issue did not expose full phone numbers or any other personal data.
“We have directly informed the people we identified as being affected. We are providing this broader notice as it is possible that other account holders we cannot identify were potentially impacted,” Twitter said, adding it is “sorry this happened”.
A Twitter spokesperson told TechCrunch: “For our part, we are committed to understanding how bad-faith actors use our services. We will continue to proactively combat nefarious attempts to undermine the integrity of Twitter.”