Twitter says it inadvertently used private information, provided by users for the purpose of protecting their accounts, to help companies target them with ads.
Users provided Twitter with their phone numbers and email addresses in order to enable certain security features, such as two-factor authentication, to prevent their accounts from being hijacked. Twitter, in turn, used that information to help advertisers reach specific audiences, the company said in a statement on Tuesday.
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties,” the company said.
The personal data was used in Twitter’s “Tailored Audiences” advertising system, which allows companies to upload lists of phone numbers and email addresses of people they wish to target with ads. Twitter then matches the lists with its own internal records.
Twitter said the error that allowed the security information to be used was fixed as of September 17. It did not say how long the error was ongoing. A company spokesperson said it had nothing further to share regarding the timeline beyond what’s in its statement.
“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,” it said in a statement.
Twitter is not the first social media company to use contact information provided by users for security purposes in order to make money. Gizmodo revealed that Facebook was intentionally doing so last year.