Twitter recycled 2FA phone numbers to tailor ads

Twitter has revealed it used email addresses and phone numbers provided by users for account safety and security purposes to tailor advertisements.

The company issued a statement saying that the misuse of that information was a “mistake” and was “inadvertent”.

It said that the account security contact information had not been disclosed to third parties, but could not say how many users had been affected.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” Twitter said.

“Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g. email addresses or phone numbers they have compiled). 

“Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners. 

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. 

“This was an error and we apologise.”

The company said it had decided to “make everyone aware” of the issue given it was unable to narrow down exactly which accounts may have been impacted.

Users were largely unimpressed at the revelation. Infosec professionals warned that it could lead people to distrust and ultimately abandon 2FA security on accounts.

“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising,” Twitter said.

Facebook was caught out using 2FA data for targeted advertising last year.