Twitter announced on Tuesday it inadvertently used emails and phone numbers entered for two-factor authentication (2FA), a security measure users can enable to protect their accounts, to target ads to some users included in Tailored Audiences and Partner Audiences lists.

The company said, as of September 17, the mistake had been corrected and that it was no longer using two-factor phone numbers or email addresses to target ads.

What happened? Twitter’s Tailored Audiences and Partner Audiences allow advertisers to target users based on marketing lists they upload to upload to Twitter. The company admits that in some cases it matched that data to emails and phone numbers intended for security purposes — a practice Twitter has said in the past it does not do. It said it is unsure how many users may have been impacted.

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” said Twitter.

The company called it an error and apologized for misusing user data to target ads. It also said no user data was shared externally with marketing partners or other third-parties.

Background on 2FA and ad targeting. A year ago, researchers at Northwestern University discovered Facebook was using phone numbers entered by users for 2FA purposes to target ads on the platform.

The difference between what Facebook was doing and what happened with Twitter is that Facebook acknowledged this was a regular practice on the platform. Twitter’s data misuse was a mistake. Facebook told Marketing Land at the time: “We’re clear with people that we use the information people provide to offer a more personalized experience, including showing more relevant ads. So when someone adds a phone number to their account for example, at sign up, on their profile, or during the two-factor authentication signup — we use this information for the same purposes.”

Among the social networks we surveyed at the time– Twitter, Snapchat, LInkedIn, Pinterest, Reddit and Facebook — Facebook was the only company to say it uses data provided for security purposes for ad targeting.

Why we should care. Advertising platforms have been under scrutiny for their historically lax data practices for years now. Eight years ago, Twitter agreed to a settlement with the FTC over charges that it “deceived consumers and put their privacy at risk by failing to safeguard their personal information.” As part of that settlement, Twitter was barred for 20 years from misleading users about how it protects their “nonpublic” information, i.e. data entered for 2FA. This latest mishandling could bring further FTC scrutiny. In July, the FTC imposed a $5 billion fine on Facebook for sloppy user data handling and violations of its own 2012 consent decree.

About The Author