It meant some passwords were stored in plain text on its internal computer system.
The problem was related to Twitter’s use of “hashing” technology, which replaces passwords with numbers and letters as a user enters them.
But the bug caused them to be written on an internal computer log before the hashing process was completed.
Twitter did not say how many passwords were affected, but a source reported to be “familiar with the company’s response” said the number affected was “substantial” and that the passwords had been exposed for “several months”.
The company insisted the problem had now been fixed.
An internal investigation found no indication that passwords were stolen or misused, Twitter added, but users should change their passwords “out of an abundance of caution”.
Twitter said on its blog: “We are very sorry this happened.
“We recognise and appreciate the trust you place in us, and are committed to earning that trust every day.”
It added: “We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again.”
The news comes as the European Union is due to start enforcing the General Data Protection Regulation, a strict privacy law which can see companies fined for breaches.