This article was published on October 8, 2019

Twitter says it used your 2FA info to advertise by accident


Twitter says it used your 2FA info to advertise by accident Image by: PxHere

Twitter today revealed it may have misappropriated its users private info by giving it to advertisers. The information in question? Your email address or phone number — whichever you used for two-factor authentication or security purposes.

The error apparently stemmed from Twitter’s Tailored Audiences advertising program. This would basically allow advertisers to match customers with appropriate ads by tallying their own list of email addresses and phone numbers with ones the user has provided to Twitter.

Except those details weren’t provided to Twitter for the purposes of advertising or even identification. They were provided to help protect users’ accounts one way or another. Twitter admitted it didn’t know exactly how many were impacted by this, but the issue was fixed as of September, adding, “This was an error and we apologize.”

This language, in which Twitter calls the error, “the issue that allowed this to occur,” is way too passive. Feels like someone’s trying to distance themselves from the situation. I’m willing to bet this issue wasn’t so much “allowed” to occur as it was actively implemented by someone, and the company is hoping to save face by revealing it now and saying it’s “taking steps to make sure we don’t make a mistake like this again.”

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol' founder Boris, and some questionable AI art. It's free, every week, in your inbox. Sign up now!

Another reason the company might want to ‘fess up now? Facebook was called out for doing the exact same thing last year. When it confirmed this to TechCrunch, a spokesperson said, “We use the information people provide to offer a better, more personalized experience on Facebook, including ads. We are clear about how we use the information we collect, including the contact information that people upload or add to their own accounts.” The only solution it offered for people who didn’t want their information used this way? Don’t use phone-number-based 2FA.

This flip attitude towards users’ personal information was one of the major violations cited in the FTC’s complaint against Facebook, according to the Washington Post. And in July, Facebook was slapped with a $5 billion fine over this complaint. Now you might know why Twitter’s so eager to apologize.

If you’re feeling vulnerable and want to do something about it, Twitter does offer authenticator-based 2FA, meaning you don’t have to use any personal information. It’s not much, but it’s something.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with