Protected accounts are those that require the owner to manually approve followers, and only those followers can read the owner's tweets. Some unapproved users were able to read unprotected tweets that were sent via SMS/push notifications.
Twitter referenced the bug in a rather short security post on their blog and didn't divulge many details. They said that the bug, which affected 93,788 protected accounts, had been fixed, unapproved users had now been removed and users affected by the bug had been notified via email.
"While the scope of this bug was small in terms of affected users, that does not change the fact that this should not have happened. We’ve emailed each of these affected users to let them know about this bug and extend our whole-hearted apologies," read the post from Bob Lord, director of information security.
Twitter thanked its white hat security community, a group of independent security researchers who volunteer their time to spot potential security issues, a member of which was the first to notice the bug and help fix it.