Twitter reveals 2FA security data has 'inadvertently been used for advertising purposes'
Twitter has announced that email addresses and phone numbers provided by users for use with two-factor authentication (2FA) have been "inadvertently" used to deliver tailored ads.
The company says it does not know how many people are affected by the incident, but apologizes for letting private data be used in this way. The timing of the announcement is a little strange. Twitter says that the matter was under control as of September 17, and it is not quite clear why it took three weeks to go public about it -- even though it says "in an effort to be transparent, we wanted to make everyone aware".
There is a twisted irony to the fact that this security lapse involves data that users were encouraged to part with to increase the security of their Twitter accounts. Twitter is just one of many companies that have been pushing 2FA as one of the best ways of ensuring security and privacy.
As well as seemingly being unaware of how many users were affected, Twitter also fails to provide individuals with a way to determine if their 2FA data was used to deliver targeted ads. The reaction to an announcement on the Twitter Support account was, er, less than positive:
We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes. This is no longer happening and we wanted to give you more clarity around the situation: https://t.co/bBLQHwDHeQ
— Twitter Support (@TwitterSupport) October 8, 2019
Twitter's full statement about the matter reads:
We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.
Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g., email addresses or phone numbers they have compiled). Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners. When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.
We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.
We're very sorry this happened and are taking steps to make sure we don't make a mistake like this again. If you have any questions, you may contact Twitter's Office of Data Protection through this form.