Biden's $400B vaccination plan Galaxy S21 preorders Google Doodle celebrates basketball inventor Drivers License breaks Spotify records WandaVision review Oculus Quest multiuser support Track your stimulus check

Twitter misused security information for advertising purposes

You might've given your phone number to Twitter for two-factor authentication. The company said that number could've been used for advertising.


Twitter says it goofed.

Angela Lang/CNET

A Twitter security feature may've wound up costing people their data privacy, the company said in a statement Tuesday. Twitter said it recently discovered that email addresses and phone numbers meant to be used for security "may have inadvertently been used for advertising purposes." 

You can give Twitter your phone number for protections like two-factor authentication, which is supposed to make it harder for hackers to access your account -- even if they steal your username and password, they can't take over your account unless they also have your phone number. 

That information is supposed to be used solely for account protection purposes, but Twitter said advertisers were able to tap the phone numbers to target commercials, through the company's "Tailored Audiences" and "Partner Audiences advertising system. 

Those tools let advertisers aim a specific ad at a customer based on their own marketing lists. For example, if you'd given your phone number to a pharmacy chain for discounts, that chain could advertise to you on Twitter based on that same phone number. 

"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes," Twitter said in a statement. "This was an error and we apologize."

The company didn't disclose how many people were affected, and it said it addressed the issue on Sept.17. Twitter didn't explain why it waited three weeks to disclose this to the public. 

Facebook made a similar disclosure in March, saying it had also tied phone numbers for security purposes with targeted advertising. 

The issue with mixing advertising with phone numbers specifically provided for two-factor authentication is that it essentially puts security and privacy at odds with each other. Two-factor authentication is an important security feature that significantly reduces the chances of a hacker taking over your account, but people are less inclined to use it if they feel it takes away their privacy. 

Researchers have found that the security measure already suffers from a low adoption rate, and Twitter's revelation doesn't do it any favors. 

If you're concerned about this happening in the future with any other platforms that offer two-factor authentication, consider using methods outside of SMS for the security measure. In 2016, the National Institute of Standards and Technology stopped recommending SMS for two-factor authentication, noting that there were better ways to authenticate yourself. 

You can use tools like authenticator apps, which Twitter started supporting in 2017, or security keys. In April, Google announced that Android phones could function as security keys

Originally published Oct. 8, 1:40 p.m. PT.
Update, 1:57 p.m.: Adds more details on the security issue.