A bug discovered on the 15th of November 2018 and fixed the day after could have revealed the country code of users' phone numbers or if their account was locked, Twitter reveals in a statement this week and they add that the virus may have come from China and Saudi Arabia.
The IP addresses from the two countries had sent a large number of inquiries using the form, Twitter said.
These could have had ties to "state-sponsored actors", Twitter said.
Stressing that they could not confirm "intent or attribution for certain", Twitter's statement said they had informed the authorities about their discovery in the interest of "full transparency".
Those directly affected have been informed, Twitter said. No full phone numbers were revealed, nor any other personal data. In addition, the company's stock price dropped nearly 7% on Monday.
News of the bug comes on the same day the US Senate released a report revealing how Russia cast-off every social media platform to influence the 2016 election.
With a specific focus on targeting conformists with posts on immigration, race and gun rights, the country also tried to undermine the voting power of left-leaning African-American citizens by spreading misrepresentation about the electoral process.