Uncovering a Privacy Vulnerability in the Community Archive: Exposure of Twitter Circle Tweets
alice · · 4 min read
The Community Archive, described as "An open database and API anyone can build on," currently hosts "5.5M tweets and 11.0M liked tweets contributed from 246 accounts." As an advocate for open data, I appreciate the project's potential, especially its collection of tweet archives from many great posters.
However, I recently identified a significant vulnerability: the unintended public exposure of Twitter Circle tweets—messages intended for a limited audience.
Discovery of the Vulnerability
February 17, 2025: Before uploading my own Twitter archive to the project, I wanted to make sure that Circle tweets were appropriately filtered. There were none. I contacted the project creator, Xiq for clarification.
February 19, 2025: He responded and said he had previously spot-checked his tweets and found no Circle tweets in the archives, assuming they were excluded by default.
February 20, 2025: Using the Archive's Advanced Search feature, I discovered many Circle tweets from several users fairly quick, confirming the vulnerability. and disclosed it to Xiq.
Examples have been identified but are withheld here to protect user privacy.
Further investigation revealed that Circle tweets lack identifiable markers in Twitter archives, which makes it hard-to-impossible to filter them.
Timeline of Disclosure
February 20, 2025: Reported the issue to Xiq, detailing the vulnerability and its potential impact. He acknowledged the issue, indicating a need for time to assess before making an announcement.
March 4, 2025: Followed up with him; he mentioned progress in identifying affected tweets and efforts to determine if they were Circle tweets.
March 9, 2025: He reported a potential solution using the syndication API, estimating a 90-hour process to check 1,000 tweets every 15 minutes, as well as plan to protect users in the future.
March 13, 2025: Requested a status update; no response received.
March 17, 2025: Verified that Circle tweets remain publicly accessible in the Community Archive and contacted Xiq again. I set a firm 48-hour deadline for public disclosure and emphasized the urgency.
About 9 hours after that, he sent out an email to users, outlining some measures: disabling the access to the affected dates in the archive (not quite; see below), disabling downloads of the raw JSON archives (note: this doesn't appear to have fully happened and people can still download them from the website).
The affected dates are also wrong: Twitter started testing Circles on May 3, 2022 and finished rolling it out for everyone on August 30, 2022 (https://blog.x.com/en_us/topics/product/2022/introducing-twitter-circle-new-way-tweet-smaller-crowd).
While Twitter officially shut down Circles on Oct 31, 2023, there was a workaround to post new ones for another week or two perhaps, and even as of today, per my testing, you can still post new replies to existing circle tweets. These are definitely edge cases, but cases nonetheless.
Current Status
As of March 18, 2025, 2:16a GMT, you can still see some circle tweets posted before August 2023 in the Community Archive and (potentially) after the official shutdown; and you can still download people's raw archives from the website. Presumably both of these will be patched soon, however I'm unwilling to wait any longer on this.
Potential Impact — serious privacy risks
Unauthorized Access: Private Circle tweets are accessible publicly, violating user expectations of confidentiality. The irony that Twitter shut down Circles after they started leaking twice is not lost on me.
Data Exploitation: The exposed tweets could be misused, leading to personal or professional repercussions for affected people.
Recommendations for Affected Users
If you've uploaded your archive previously, delete it immediately until this issue is fully fixed. If you haven't upload it yet, I strongly advise you not to do so at this time.
Final Thoughts
These issues matter. Privacy matters—and it should always take precedence over convenience, especially when handling sensitive data. While I'm glad some steps have finally been taken, several remain incomplete, and at this stage, keeping users in the dark only increases potential harm. If anything, I regret not publicly posting about this sooner; well-intentioned delays only compound the risk.