Twitter has said it used phone numbers and email addresses, provided by users to set up two-factor authentication on their accounts, to serve targeted ads.
In a disclosure Tuesday, the social media giant said it did not know how many users were impacted.
The issue stemmed from the company’s tailored audiences program, which allows companies to target advertisements against their own marketing lists, such as phone numbers and email addresses. But Twitter found that when advertisers uploaded their marketing lists, it matched Twitter users to the phone numbers and email addresses users submitted to set up two-factor authentication on their account.
The issue was addressed as of September 17, the disclosure said.
Two-factor authentication is an important security feature that makes it far more difficult for hackers to break into user accounts. Although some use their phone number as a way to receive two-factor codes, it’s a method that has long been vulnerable to interception and SIM swapping attacks. Users should instead switch to Twitter’s authenticator-based two-factor.
Twitter finds itself in the same boat as Facebook, which last year was caught using users’ phone numbers and email addresses, which they gave Facebook for securing their accounts, for targeted advertising. The Federal Trade Commission fined the social networking giant $5 billion earlier this year and was prohibited from using the phone numbers it obtained for setting up two-factor for advertising.
For its part, Twitter said its ad targeting was “an error” and apologized.
It’s the latest in a number of security lapses at Twitter in the past year. Last year, the company admitted to storing passwords in plaintext, disclosed a phone number leak bug despite knowing about it for two years, and confirmed a location data leak in May.
In August, Twitter chief executive Jack Dorsey had his own account hacked.