Twitter said it discovered the bug in its Account Activity API (AAAPI), which lets registered developers build tools to help businesses communicate with customers.
Users who interacted with accounts or businesses that relied on developers using the AAAPI may have had their direct messages or protected tweets sent to the wrong people. For example, a direct message to an airline about lost bags may have accidentally been sent to the wrong recipient.
The issue began in May. Twitter said it issued a fix when it discovered the problem on September 10.
Twitter said in a statement it was "very sorry this happened."
"Any party that may have received unintended information was a developer registered through our developer program, which we have significantly expanded in recent months to prevent abuse and misuse of data," Twitter said in a statement.
The company said it will contact people directly through an in-app notice and on Twitter's site if their account was affected by the bug.
Some users tweeted screenshots of the notifications they'd received from Twitter.
"Sorry, what ?! My DMs may have been sent to developers for a more than a year??" Mashable reporter Karissa Bell tweeted.
In a tweet, Twitter said: "We haven't found an instance where data was sent to the incorrect party. But we can't conclusively confirm it didn't happen, so we're telling potentially impacted people about the bug. If you were potentially involved, we'll contact you today. We're sorry that this happened."
Twitter said it reached out to developer partners to make sure they delete any information they shouldn't have.
"Our investigation is ongoing," Twitter said in the statement. "We will continue to provide updates with any relevant information."
This article originally appeared on CNET, titled, "Twitter may have sent your private DMs to the wrong people -- but probably not."