Twitter has admitted to a major privacy blunder where email addresses and phone numbers that were provided for account security may have been used to serve targeted ads to users.
In a statement on its official blog, Twitter said:
“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.”
Tailored Audiences allows advertisers to serve targeted ads based on lists of email addresses or phone numbers they have collected. Partner Audiences allows advertisers to serve targeted ads based on lists of email addresses or phone numbers collected by third parties. Twitter’s error means that users who provided these details strictly to secure their account may have also been matched up with these advertising lists and served personalized ads.
Twitter said it’s unsure how many people have been affected by the error but it wanted to make everyone aware in an “effort to be transparent.” The company added that the email addresses and phone numbers weren’t shared with any of the advertisers using these programs and that the error was addressed on September 17. However, Twitter didn’t explain why it waited three weeks to disclose this error to users.
The news of this privacy blunder comes just over a month after Twitter CEO Jack Dorsey had his account hacked after a SIM swap – a technique where hackers convince carriers to switch a user’s phone number to a SIM card that they control. The hack of Dorsey came days after multiple YouTube stars and celebrities including Shane Dawson and James Charles also had their Twitter accounts hacked as a result of SIM swapping.
This spate of Twitter account takeovers led to criticism of Twitter’s security measures and in particular, Twitter’s requirement for users to hand over their phone number to enable two-factor authentication, even if that phone number isn’t being used as an authentication method. At the time, users argued that this requirement puts Twitter accounts at risk of SIM swapping. Now, this requirement has also compromised user privacy with some of these phone numbers being used to serve ads without user consent.
Twitter’s admission is almost identical to a Facebook admission from 2018 where Facebook users' phone numbers that had been provided for security purposes were used to serve targeted ads. However, prior to this incident, Facebook had allowed users to secure their account without providing a phone number which meant users who had done this weren’t affected by the Facebook privacy blunder. To date, Twitter offers no such option and users who want to use two-factor authentication, have to provide a phone number.
As with the previous Twitter SIM swap incidents, this Twitter privacy blunder points to a wider issue of many tech companies forcing users to hand over phone numbers if they want to secure their accounts via two-factor authentication. Research from Google has shown that SMS code verification is one of the weakest forms of device-based account protection and a phone number is not required for other stronger forms of account protection. Despite these statistics, Twitter and many other companies continue to require phone numbers from users who want to enable these account protection services.