Social networking platform Twitter has disclosed that it used phone numbers users provided for two-factor authentication (2FA), along with email addresses, to show targeted ads. When users and companies promote sponsored tweets on Twitter, they can filter an ad’s audience based on a series of criteria.
The problem, Twitter said, was that emails and phone numbers that users provided to be used specifically for security reasons where “inadvertantly” made available for “Tailored Audiences” and “Partner Audiences,” two of the company’s internal advertising systems.
Twitter said this was a bug, and not something it intended to do. The issue was fixed on September 17, and the company said that no user data was shared with external entities.
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware,” the company said in a short statement posted on its website.
Twitter now joins Facebook, which was caught doing the exact same thing last year by a group of academics from Northeastern University and Princeton University.
For the past year, the company has been disclosing similar blunders all over its platform.
In September 2018, Twitter said it disclosed details about an API bug that shared users’ private DMs with the wrong app devs.
In January 2019, Twitter disclosed another bug that exposed private tweets for some Android users for almost five years. Those tweets, meant to stay private, were visible to everyone, and were even indexed by search engines.
In May 2019, Twitter disclosed details about a third bug on its platform that shared location data for some iOS users with “a trusted partner.”
In August 2019, Twitter said fixed a fourth issue on its advertising platform that resulted in the company sharing some user data with advertising partners without the users’ express consent.
Also, on the same day, Twitter disclosed a fifth issue, one during which its advertising platform made inferences about a user’s devices to fine-tune ad delivery without the user’s express approval.