On Tuesday, Twitter announced that it “unintentionally” used phone numbers and email addresses for advertising purposes even though the information was provided by users for two-factor authentication.

According to Twitter, no personal data was shared with the company’s third-party partners, and the “issue that allowed this to occur” has been addressed. As of September 17th, phone numbers and email addresses are now only collected for security purposes, Twitter said.

“We cannot say with certainty how many people were impacted by this,” Twitter said in a blog post disclosing the security mishap. “We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”

Over the past year, Facebook has taken the brunt of criticism over its privacy malpractices, but Twitter has been embroiled in its own controversies over how it handles the privacy of its users. Just last month, Twitter CEO Jack Dorsey’s account was compromised after hackers were able to tweet racial slurs via text message.

In May 2018, Twitter advised its users, all 330 million of them, to change their passwords after a bug was discovered that exposed them in plain text. Twitter said at the time that no information was breached or misused.