A basic premise of Twitter is that the user (@) is the one that is able to send a message for any given account. But that premise was challenged by a security bug that Twitter patched at the end of February, that was only publicly disclosed on May 22.
The bug was reported to Twitter by a security researcher that uses the alias ‘Kedrisch’ , by way of Twitter’s bug bounty program which is run by Hackerone.