The bug – discovered on 15 November and fixed the day after – could have revealed the country code of users’ phone numbers or if their account was locked, the company said.
IP addresses from the two countries had sent a large number of inquiries using the form, Twitter said.
These could have had ties to “state-sponsored actors”, Twitter said.
Stressing that they could not confirm “intent or attribution for certain”, Twitter’s statement said they had informed the authorities about their discovery in the interest of “full transparency”.
Those directly affected have been informed, Twitter said. No full phone numbers were revealed, nor any other personal data.
The company’s stock price dropped nearly 7% on Monday.
News of the bug comes on the same day the US Senate released a report revealing how Russia used every social media platform to influence the 2016 election.
With a particular focus on targeting conservatives with posts on immigration, race and gun rights, the country also tried to undermine the voting power of left-leaning African-American citizens by spreading misinformation about the electoral process.