Twitter: We accidentally used security data to target users with ads

Twitter announced Tuesday that email addresses and phone numbers used to secure accounts had accidentally been used for advertising purposes.

In a blog post, the company says the addresses and numbers were used in its “Tailored Audiences” product, which allows advertisers to target ads to customers based on the advertiser’s own marketing lists.

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” the blog states. “This was an error and we apologize.”

Twitter does not know how many people were impacted by the error. The company says no data was shared with third parties that used the Tailored Audiences feature.

Twitter users share phone numbers with the company for security purposes, particularly for its two-factor authentication feature. With that feature, Twitter sends a code to the stored phone number via SMS, which is then used to further authenticate a user’s login.

Security experts have frowned upon using SMS in the two-factor authentication process, mainly due to SIM hijacking, which typically involves hackers posing as their victim in order to transfer a phone number from one device to another.

Other social media networks have moved away from using phone numbers in their two-factor authentication process. In May 2018, Facebook moved away from requiring a phone number to use the service to sign into the company’s platform.

However, Facebook also never explicitly told users it was using those numbers for advertising purposes. That act was among the many reasons the Federal Trade Commission issued a $5 billion fine against the company in July.