Twitter has admitted that personal contact information of users may have “inadvertently been used for advertising purposes.”
According to a statement published earlier, it discovered that when users provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have been the recipient of Twitter’s Tailored Audiences and Partner Audiences advertising system.
“Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g., email addresses or phone numbers they have compiled)” it explained, while Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.
The statement read: “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.”
It could not say “with certainty” how many people were impacted by this, but it clarified that no personal data was ever shared externally with partners, or any other third parties.
“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”
In an email to Infosecurity, Javvad Malik, security awareness advocate for KnowBe4, said that many companies have implemented two-step authentication for services via an SMS message to the users phone, as this protects accounts against attacks such as credential stuffing, where attackers can access accounts by having the password.
“However, with email address and phone numbers, advertisers are able to profile people more accurately across multiple services and target them with more accuracy,” he said. “It is unfortunate that Twitter allowed this to happen, as these details were only provided for security purposes.
“In light of this, and other similar revelations in the past, as well as the growing number of attacks such as SIM swap, which hijack users phone numbers, companies should make the strategic decision to move away from using a phone number as a primary means of authentication, and adopt more secure alternatives for multi-factor authentication.”
Stuart Sharp, VP of solution engineering at OneLogin, said that it would be up to the lawyers to decide whether or not Twitter's misuse of personal contact details broke the letter of the law, but “it certainly broke the spirit of GDPR.”
He said: “This type of activity will likely result in users removing their phone numbers from the site, which will ultimately affect the number of people using additional factors for authentication such as text verification, which is a massive step backwards for all those working hard to push MFA as a method of increasing security online. Ultimately, everyone will lose as Twitter accounts will be more vulnerable to malicious take-over.”