The users were in countries like France, Greece and Turkey, and some of them were politicians and officials. TechCrunch found a senior Israeli politician, for instance.

Balic didn’t notify Twitter, but did warn some users directly. Twitter blocked his effort on December 20th and hasn’t publicly acknowledged the flaw so far. We’ve asked Twitter for comment.

This hasn’t been Twitter’s best year in terms of security. On top of the two most recent flaws, it accidentally shared location data and acknowledged that phone numbers might have been used for ad targeting. While major damage hasn’t ensued from these incidents, it’s clear Twitter will have to put in some effort if it’s going to reassure users.