Skip to main content

Twitter Used 2FA Phone Numbers to Sell Ads

Twitter fail whale.
(Image credit: Screenshot by Tom's Guide)

Twitter has issued a mea culpa for repurposing user information that was meant to be private in its advertising platforms.

In a statement this week, Twitter said that it had discovered instances of user phone numbers and email addresses being "inadvertently" used for its Tailored Audiences and Partner Audiences advertising platforms.

According to Twitter, the phone numbers and e-mail addresses were uploaded to its service for security features, like two-factor authentication (2FA), and shouldn't have been used in any way for advertising. 

But for an unidentified period of time, they were. Twitter said that it turned off the use of the personal information for ads on September 17.

Tailored Audiences is designed to let advertisers target their own customers who are already using Twitter. It does that by checking their own contact list information, such as e-mail addresses and phone numbers, against Twitter's userbase.

Partner Audiences is a similar service that targets Twitter users with ads, but relies on third-party data instead of the information an advertiser might have collected on its own.

Twitter said that it believes the personal information was shared after advertisers uploaded their own or third-party datasets of users to Twitter servers. The company --mistakenly, it says -- matched its own database of phone numbers and email addresses to those uploaded by advertisers, causing the "error." 

The problem, however, is that Twitter doesn't know whether your information was revealed or not. In its statement, the company said that it "cannot say with certainty how many people were impacted by this." It added, however, that information wasn't shared outside of Twitter's own platform.

Still, for affected users, there isn't much to do, other than hope it doesn't happen again. And Twitter said it's doing what it can to make sure it doesn't.

"We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again," the company said.

Don't give up on 2FA

Unfortunately, Twitter requires that any user who wants to enable 2FA provide his or her mobile phone number to Twitter. That's whether or not the user wants to enable SMS-based 2FA, which does need the mobile number, or other 2FA methods such as authenticator apps or physical security keys, which don't use phone numbers. 

Other prominent online services, such as Google, don't require users to provide phone numbers to use non-SMS-based 2FA.

Any kind of 2FA is better than no 2FA at all, since 2FA is a very good safeguard against jerks hijacking your online accounts, even if they know your username and password. 

But SMS-based 2FA is the weakest form, because SMS messages can be intercepted and phone numbers can be stolen. Authenticator apps and physical security keys are much better.