X acknowledges security incident that made private likes public

Recently, X (formerly Twitter) made a change to its platform that made likes private, so only the account owner can see the posts they have liked. Despite that though, a recent security incident showed others private likes.

X has sent users an email (which was seen by 9to5Mac) acknowledging that the incident occurred in June 2024, shortly after the change that made the likes private to begin with. X says despite the change, there was still a way for other people to view private likes.

Previously, anyone could see a list of all the posts that a public X account had liked. The change was made because X believed having the likes public was "encouraging the wrong behavior" for some users. Examples of "wrong behavior" were some people's hesitation to like something in fear that might be "edgy" or they'd get retaliation from trolls, or to protect their public image.

X says that it's already taken steps to ensure likes remain private, as they should. Despite the change though, the likes count on any given post remains public.

In my opinion, I appreciate the fact that X is letting users know about the incident and it seems like that's the right thing to do instead of pretending nothing happened. But if you're promising privacy, you should ensure it works just how it's supposed to. I'm prone to criticizing such privacy incidents because of big promises that weren't held. Luckily though, now it seems the problem has been fixed, and it seems not everyone was affected by the bug.