Twitter has acknowledged a privacy screw-up with the mobile phone numbers users submitted to the social media service when activating two-factor authentication. The company has been letting online marketing firms use the same phone numbers to serve users with targeted ads.

"We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes," the company announced on Tuesday.

We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes. This is no longer happening and we wanted to give you more clarity around the situation: https://t.co/bBLQHwDHeQ — Twitter Support (@TwitterSupport) October 8, 2019

The personal data was never directly exposed to the online advertisers. The privacy mistake involves how advertising clients can submit a marketing list containing email addresses and phone numbers of users they'd like to target on Twitter.

"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize," the company said in a blog post.

It remains unclear how many people had their data exposed, but the problem was patched on Sept. 17. "In an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties," Twitter added.

Facebook made the same mistake last year when it was found using phone numbers from the company's two-factor authentication system for advertising purposes. The US Federal Trade Commission later declared the practice a privacy violation in July's $5 billion settlement with the Facebook regarding how the social network was allowing third parties to collect people's personal data without their consent.

Twitter declined to further elaborate on the mistake. But it's important to note: When you first register with the service, the company can actually target you with ads based on the email address or phone number you supplied on sign up, according to the company's privacy policy. However, the privacy rules change if you ended up creating an account with only an email address, and then supplied a phone number to activate the two-factor authentication; Twitter should only be able to serve targeted ads to you based on the email address, and not the phone number.

Further Reading

Security Reviews