Twitter misused security information for advertising purposes

You might've given your phone number to Twitter for two-factor authentication. The company said that number could've been used for advertising.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read

Twitter says it goofed.

Angela Lang/CNET

A Twitter  security feature may've wound up costing people their data privacy , the company said in a statement Tuesday. Twitter said it recently discovered that email addresses and phone numbers meant to be used for security "may have inadvertently been used for advertising purposes." 

You can give Twitter your phone number for protections like two-factor authentication, which is supposed to make it harder for hackers to access your account -- even if they steal your username and password, they can't take over your account unless they also have your phone number. 

That information is supposed to be used solely for account protection purposes, but Twitter said advertisers were able to tap the phone numbers to target commercials, through the company's "Tailored Audiences" and "Partner Audiences advertising system. 

Those tools let advertisers aim a specific ad at a customer based on their own marketing lists. For example, if you'd given your phone number to a pharmacy chain for discounts, that chain could advertise to you on Twitter based on that same phone number. 

"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes," Twitter said in a statement. "This was an error and we apologize."

The company didn't disclose how many people were affected, and it said it addressed the issue on Sept.17. Twitter didn't explain why it waited three weeks to disclose this to the public. 

Facebook made a similar disclosure in March, saying it had also tied phone numbers for security purposes with targeted advertising. 

The issue with mixing advertising with phone numbers specifically provided for two-factor authentication is that it essentially puts security and privacy at odds with each other. Two-factor authentication is an important security feature that significantly reduces the chances of a hacker taking over your account, but people are less inclined to use it if they feel it takes away their privacy. 

Researchers have found that the security measure already suffers from a low adoption rate, and Twitter's revelation doesn't do it any favors. 
If you're concerned about this happening in the future with any other platforms that offer two-factor authentication, consider using methods outside of SMS for the security measure. In 2016, the National Institute of Standards and Technology stopped recommending SMS for two-factor authentication, noting that there were better ways to authenticate yourself. 

You can use tools like authenticator apps, which Twitter started supporting in 2017, or security keys. In April, Google announced that Android phones could function as security keys
Originally published Oct. 8, 1:40 p.m. PT.
Update, 1:57 p.m.: Adds more details on the security issue.