In brief: One of the biggest problems with Twitter has long been the prevalence of trolls on the platform. Users can protect themselves from unwanted followers and comments by making their accounts protected, but a bug that was affecting people for over four years meant some private tweets were made public.
The issue had been around since November 3, 2014, but it only affected Android device users, not those on iOS or who only used the web version. Twitter says that these mobile users who made account changes, such as altering their email address, had the "Protect your Tweets" setting disabled without them knowing.
It's likely that those affected would have realized their accounts were public when Twitter users were able to follow them without requiring permission. Non-followers would have been able to see and comment on their posts, too. But that's no excuse for the problem to have gone on for so long. Twitter said it only fixed the bug on January 14, 2019.
We've become aware of and fixed an issue where the "Protect your Tweets" setting was disabled on Twitter for Android. Those affected have been alerted and we've turned the setting back on for them. More here: https://t.co/0qM5B1S393
--- Twitter Support (@TwitterSupport) 17 January 2019
Twitter added that it has contacted those affected and turned the Protected setting back on for them. It also said that it's made a public statement because it "can't confirm every account that may have been impacted." The company didn't reveal how many Android users were confirmed to have been affected.
"We recognize and appreciate the trust you place in us, and are committed to earning that trust every day," wrote the microblogging site. "We're very sorry this happened and we're conducting a full review to help prevent this from happening again."