The flaw made direct messages public for a small number of users who may have used the company's UberSocial and Twidroyd software in a very specific way, said Steve Chadima, chief marketing officer with UberMedia, the company that develops UberSocial. Users who typed "d username" and then sent direct messages longer than 140 characters could have had their messages viewed by anyone. Users who send direct messages using UberSocial's default @username syntax were not affected, he said in an e-mail interview.

The flaw was fixed on UberSocial's back-end servers late Thursday, Chadima said.

UberSocial, formerly known as UberTwitter, fixed a similar problem about a month ago, but the company's developers didn't realize that it could be a problem if people typed "d username."

"[N]o one thought of these rarely used conventions like 'd username,'" Chadima said. These are "used almost exclusively by SMS tweeters, not those tweeting from apps that have buttons you can click or tap on to generate a direct message."

"There are so few users that this actually affects that we hadn't caught this until Twitter pointed it out," he said.