In short: Twitter began notifying users of a bug that the company has known about since May 2017. This bug was sending private direct messages to developers who "were not authorized to see direct messages". Twitter stated that as soon as they found the bug, they patched it and fixed the issue. However, the issue is that this bug was not caught until September 10, 2018. That's over 16 months after the bug began sending direct messages to unauthorized developers. That's a pretty big deal, as you might imagine. Twitter noted that this bug came from a developer API that was primarily used by businesses to interact with customers, and may have collected those direct messages by mistake. Twitter is also noting that if your account was affected by this bug "we will contact you directly through an in-app notice and on twitter.com."
Background: This is definitely not a good thing for Twitter, especially since they are still dealing with a number of issues that relate to users' trust of the platform. For a bug to be sending these direct messages to developers for over a year is a pretty big deal. While it would still be a big deal if this happened for a few weeks or even months, over a year is a much bigger issue. For example, how come it took Twitter so long to even notice this bug?
Impact: There is likely going to be a big impact for Twitter due to this. But as a public company, Twitter had to let all of its users know about this issue. After this news broke this afternoon, Twitter's stock has dropped quite a bit. At the time of writing this, it is down about four-percent for the day. And it will likely drop even further in after hours trading. Twitter could also see a number of users leaving the platform over this issue, as direct messages are supposed to be private and not sent to businesses.