Twitter also said the loophole was patched in September
Twitter has revealed that it “inadvertently” used phone numbers and email addresses, which were provided by users for two-factor authentication on their accounts, in order to serve them with targeted ads.
The disclosure made on Tuesday said that micro-blogging site said it was not possible to tell how many users were affected by the security breach.
Issuing an apology, Twitter went on to explain its Tailored Audiences and Partner Audiences advertising system. In Tailored Audiences program lets advertisers use target ads for customers on the basis of the advertiser marketing lists which may include email addresses or phone numbers they have gathered.
On the other hand, Partner Audiences lets advertisers to use the same Tailored Audiences system to target audiences with ads by third-party partners. Twitter discovered about the issue when an advertiser posted their marketing lists and found that it was matching the phone numbers and email addresses which were shared for setting up the two-factor authentication on their account with the Twitter users.
It said, “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.”
However, the blog post by Twitter also added that it has been resolved as of September 17.
Setting up a two-factor authentication adds a security layer for the users making it tough for hackers to access user accounts. This allows people to use their phones in order to receive two-factor codes, however, the authentication system has its own susceptibilities such as swapping and interception.
For Twitter, this yet another security issue for its users. In 2018, Twitter confirmed that it stored passwords in plaintext, revealed a phone number leak bug despite having the knowledge about it for two years, and also admitted a location data leak in May. Two months later, the account of Twitter CEO Jack Dorsey was also hacked.
This comes a year after social media giant Facebook was found to be using its users’ email addresses and phone numbers, which they shared with Facebook for securing their accounts, for targeted ads instead, noted TechCrunch.
The Federal Trade Commission (FTC) fined Facebook a staggering $5 billion in early 2019, launched an investigation into its practices and also banned it from using the phone numbers it gathered for setting up two-factor for advertising, as per the report.