Twitter says it has fixed a bug that meant users weren’t logged out of active sessions on all devices after manually resetting their passwords.
Writing on its blog, Twitter said:
Staying logged in on multiple devices after explicitly changing an account password is a huge security risk. If someone has breached an account already, that would leave them logged in and able to impersonate the user, rummage through DMs, change the password again, and more.
Twitter says it has logged out all affected users, everywhere.
Twitter says it has reached out to users who might have been affected by the bug. For everyone else, it’s business as usual.