In yet another privacy breach, Twitter has admitted that its users who provided email addresses or phone numbers for better security like two-factor authentication (2FA) on the platform were served with targeted ads.
The personal data “may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” the micro-blogging platform said in a statement late Tuesday.
Twitter does not know how many of its users were impacted by this. It has 139 million average monetizable daily active users (mDAUs) as of Q2, 2019.
“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,” said the company.
Two-factor authentication adds an additional layer of security to the authentication process by making it harder for hackers to gain access to your accounts.
“Tailored Audiences” is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser’s own marketing lists (like email addresses or phone numbers they have compiled).
“Partner Audiences” allows advertisers to use the same “Tailored Audiences” features to target ads to audiences provided by third-party partners.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize,” said Twitter.
The company, however, claimed no personal data was ever shared externally with its partners or any other third parties.
“We have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising,” Twitter added.
It’s the latest in a series of security lapses at Twitter in the past year.
Last year, the micro-blogging platform asked its 336 million users to change their passwords across its services after it discovered a bug that stored passwords in plain text in an internal system.
Hackers in August this year broke into Twitter CEO Jack Dorsey’s account and posted a flurry of rogue tweets, including racial slurs.
The micro-blogging platform said that it secured Dorsey’s account which became victim of ‘SIM swapping’ or ‘SIM jacking’ where a mobile number is transferred to a new SIM card.