When some users provided Twitter with their phone number to make their account more secure, the company used this information for advertising purposes, according to a blog post from Twitter published on Tuesday.
This isn't the first time that a large social network has taken information explicitly meant for the purposes of security, and then quietly or accidentally use it for something else entirely. Facebook did something similar with phone numbers provided by users for two-factor authentication, the company confirmed last year.
"We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system," Twitter's announcement reads.
In short, when an advertiser using Twitter uploaded their own marketing list of email addresses or phone numbers, Twitter may have matched the list to people on Twitter "based on the email or phone number the Twitter account holder provided for safety and security purposes," the post adds.
"This was an error and we apologize," it read.
Know about a misuse of data? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Twitter says it cannot say with certainty how many people were impacted by this issue, but says the problem was fixed as of September 17.
This use of data provided by users deliberately for the purposes of security for advertising could make people think twice about using a phone number to secure their account at all. Despite this, two-factor authentication remains a good security practice for the vast majority of Twitter users.
"We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again," Twitter's post added.
Subscribe to our cybersecurity podcast, CYBER.