UPDATE, 3 p.m. Pacific time: Twitter appears to have fixed the bug, and DMs from before June 11 do not appear to be affected. But anybody you sent a DM to between June 11 and June 18 now has the email address you’re using on your Twitter account.
FYI – when you send a DM, the receiver CAN SEE YOUR EMAIL ADDRESS from the DM sent via email. BE AWARE!!! @twitter #security #fail
– ChicagoBungalow about 18 hours ago on Twitter
For those who aren’t on Twitter, a DM is a “direct message”, twitterspeak for a private message between two people. When you receive a DM, Twitter notifies you via email. And sure enough, just as ChicagoBungalow said, if I send you a DM, if you look at the email header information, you’ll see that the “Sender” field has an address like
twitter-dm-jon_pincus=yahoo.com@postmaster.twitter.com
This field is hidden by default — in gmail, you need to select “Show original” to see it — but once you find it, it doesn’t take a rocket scientist to figure out what yahoo.com account name I used to sign up on Twitter.
If I want somebody to have my email address, I’ll send it to them. I don’t want Twitter giving it out for me. And most especially, I don’t want Twitter doing it behind my back.
jon
PS: I updated this post several times to clarify the description; thanks to all for the feedback, and @NiteStar for the gmail instructions.
