"Twitter Password Reset Bug Exposed User Accounts"

Twitter has remediated an issue that allowed accounts to stay logged in across multiple devices even after a voluntary password reset.  Twitter explained that the bug meant users who proactively changed their passwords on one device may have still been able to access open sessions on other screens.  This is important because users who chose to perform a password reset voluntarily may have been doing so because they were concerned their account had been compromised.  The bug meant that a threat actor who was able to access an account in some way would have continued to be able to do so even after such a reset.  It is currently unclear exactly how long users have been exposed in this way, but Twitter explained that the issue appeared after it made a change “last year” to the systems that power its password reset functionality.
 

Infosecurity reports: "Twitter Password Reset Bug Exposed User Accounts"