Twitter announced that the phone numbers and email addresses of some users provided for two-factor authentication (2FA) protection had been used for targeted advertising purposes—though the company said it was ‘unintentional.’
In a blog post, the company said an ‘error’ in its ‘Tailored Audiences and Partner Audiences advertising system’ inadvertently used the information provided by users for security reasons to run targeted ads based on the advertisers’ own marketing lists.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize,” Twitter said in a blog post.
Since Twitter requires users to provide a valid phone number to enable 2nd-factor protection, even when they don’t want to rely on phone SMSes for receiving 2FA code and opt for security keys or authenticator apps instead, users had no option to prevent themselves from this error.
However, Twitter assured that no personal data was ever shared externally with its advertising partners or any other third-parties that used the Tailored Audiences feature.
The social networking company also said that it does not know how many users were impacted by this error.
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware,” Twitter wrote.
“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”
Last year, Facebook was also caught using phone numbers provided by its users for 2FA protection; however, in that case, the FTC accused the company of intentionally using that data for advertising purposes—which became one of the reasons FTC issued a $5 billion fine against Facebook in July this year.