Like other social networks, Twitter offers two-factor authentication to help users increase the security of their accounts. The platform, however, allowed cell phone numbers and emails entered to enable protection to be used in targeted ads.
In a statement, Twitter admitted that advertisers ran campaigns based on this data. This was possible with ad systems where companies use their own phone and email lists to target ads to customers.
The failure happened when combining users and lists from cell phone numbers or e-mails informed to activate two-factor authentication, data that should only be between owners and the social network. “That was a mistake and we apologize,” says the note.
Twitter did not say how many users were affected, but ensured that no data was obtained by third parties. “On September 17, we solved the problem that allowed this to happen and we no longer use phone numbers or email addresses collected for security purposes in advertising.”
Still, the social network keeps asking for the cell phone for those who activate two-factor authentication. The data is fundamental for confirmation by SMS, but, dispensable for those who use applications such as Google Authenticator or physical security keys.
According to the Ars Technica, Twitter representatives say the cell phone number is required to avoid situations in which users lose access to other means of authentication and are unable to access their accounts again.
Twitter is not the only one to have used cell phones and two-factor authentication emails to target ads. In agreement with the Federal Trade Commission (FTC), Facebook agreed to pay a $ 5 billion fine and, among other things, stop using security data for advertising.