The micro-blogging site, Twitter, admitted that it has allowed advertisers to use the personal information uploaded by users for their two-factor authentication (2FA) such as email address and phone numbers and was used by the said advertisers in order to send target ads to users.
Twitter said that the disclosure of the personal information of its users was an “error” and apologized for the mistake. The social media platform, however, clarified that they did not intend to share the said information, and the phone numbers and email addresses of their users were “inadvertently” used for advertising purposes, specifically in its advertising platform.
“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” wrote Twitter in a disclosure notice through their official support site.
Twitter explained that “Tailored Audiences is a version of an industry-standard product,” which allows advertisers to target audiences in the platform through their own marketing lists. These lists are uploaded by advertisers to the platform to help them tailor ads according to certain parameters. The lists usually include information such as demographic data, phone numbers, and email addresses.
In the process, Twitter said, several phone numbers and email addresses in the advertisers’ marketing list have matched up with the saved phone numbers and email addresses in the platform used for multi-factor authorization.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error, and we apologize,” the company explained.
Two-factor authentication is a safety mechanism used by most online platforms in order to add an additional layer of security on the accounts. The 2FA mechanism would require an account log-in to verify its identity through a code usually sent through the registered phone number or email. 2FA is designed to prevent hackers from taking over accounts through credential stuffing and other similar attacks.
Twitter said that they still don’t know how many people are affected by the said 2FA blunder; however, the social media platform assures that no personal data was ever shared externally with their partners or any other third parties.
The micro-blogging site said that they have already fixed the issue since September 7, and advertisers will no longer be able to use user phone numbers and email addresses to serve targeted ads to their audiences.
“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising,” the disclosure notice reads. “We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”
Twitter finds itself in the same boat as Facebook, who, in a similar manner, also admitted in the past that their advertisers have been using the phone numbers and email addresses provided by its users for two-factor authentication in order to serve targeted advertising.