Twitter has admitted that it has unintentionally misused user’s personal data for advertising purposes.
The data it misused are the email addresses and phone numbers that users supply to Twitter for security purposes, namely for two-factor authentication.
This is not the first gaffe made by the microblogging website. Last year in 2018 for example, Twitter urged all users to change their passwords after a “bug” meant that people’s passwords were stored “unmasked in an internal log.”
And then in 2016 it reset the passwords for users after 32 million login details (in plain text) were uploaded to a website, but Twitter denied at the time that it had been hacked.
But now Twitter had admitted to another gaffe with user’s security data, meant to safeguard their accounts.
“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” Twitter admitted in a blog post.
According to Twitter, the Tailored Audiences system is used by advertisers to target adverts to potential customers based on lists that the advertisers have created (typically phone numbers and email addresses).
Meanwhile, Partner Audiences provides those same features to advertisers, but the lists are created by third parties.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” said Twitter. “This was an error and we apologize.”
Twitter said it had resolved the issue by 17 September, but it could not say “with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware.”
“No personal data was ever shared externally with our partners or any other third parties,” said Twitter.”
“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,” it concluded, before inviting concerned users to Twitter’s Office of Data Protection.
Twitter has had other security issues before.
Aside from the password reset in 2012, Twitter also mistakenly sent out emails telling users their accounts were at risk in March 2014.
Those emails said their accounts had been compromised and users should change their passwords in order to minimise any potential damage.
Fast forward two years to February 2016, and Twitter was in the spotlight again when it revealed a serious vulnerability with its password recovery system that could have exposed the account details of almost 10,000 active Twitter users.
Twitter admitted that bug could have revealed the account details including email addresses and phone numbers associated with the affected accounts.
And then in June that same year Twitter was forced to lock accounts of users whose passwords were exposed in a database of up to 32 million login details which were uploaded to the web. However it denied the credentials were obtained in an attack on its servers.
Are you a Twitter know-it-all? Take our quiz to find out!