Twitter used two-factor authentication details to serve targeted ads

Twitter today disclosed it had inadvertently used information gathered by f its two-factor authentication security system to serve targeted adverts. The details, which include phone numbers and email addresses, were used as part of Twitter’s Tailored Audiences and Partner Audiences advertising systems.

Tailored Audiences allows advertisers to target ads based on details of potential customers that they already have acquired. Suppose a large online retailer has a customer’s email address and wanted to recommend them a widget. Twitter Tailored Audiences would ensure that the ad goes directly to the intended audience.

The problem is that two-factor authentication is primarily a security system, and users should feel comfortable enough to use it without the fear that their details would be re-purposed for marketing purposes.

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize,” the company wrote in a blog post.

Twitter says it plugged the hole on Sept. 17 with a software update. Unfortunately, the company is uncertain how many users were affected by this error. Those with concerns are encouraged to reach out to Twitter’s data protection bureau via an online form.

In the grand scheme of things, this isn’t much of an issue for Twitter, and seems unlikely to dent the company’s public trust. As far as privacy lapses go, it pales in comparison to what effected users in the wake of Facebook’s Cambridge Analytica scandal.

That said, the mistake could dissuade users from using two-factor authentication, which is an elemental step in protecting an online account from hackers. If people think they might end up being on the receiving end of privacy-harming targeted adverts, they might think twice before handing over their phone numbers.