Twitter "inadvertently" used phone numbers for security to push ads
Twitter on Tuesday disclosed that it "inadvertently" used phone numbers and email addresses users provided for security purposes to deliver targeted ads.
The social media company said information that users had provided for two-factor security authentication — additional credentials used to verify members in case of a breach — was used by advertisers to match members to their own marketing lists. Twitter did not disclose how many of its 300-million-plus users were affected.
- DoorDash data breach exposes nearly 5 million accounts
- Capital One data breach hits more than 100 million people applying for credit
"We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware," read a company release.
Twitter said it fixed the issue as of September 17. The company also said it did not share personal data with advertisers or other third parties.
Marketers are permitted to use data that social media users intentionally disclose in accounts — in the form of tweets and profile information — to deliver targeted ads in promoted tweets. But they're not supposed to have access to information used to secure accounts, according to CNET senior producer Dan Patterson.
In an interview with CBSN, Patterson described Twitter's misstep as particularly "egregious."
"Security is supposed to be 'church and state' — in a totally different bucket," Patterson said. "Connecting those two is a serious violation of security and privacy and that meant that, once again, the information you provided to protect your account was used to target you with advertisements."
Information like phone numbers and email addresses can be used by advertisers to better identify users by location to deliver more precise advertisements.
Concerned social media users can download applications like Google Authenticator or Authy, which generate codes to verify accounts. A third-party company called Yubikey even manufactures physical devices that, when inserted into a computer, can generate a digital key.
However, even these options have their limits, Patterson said. "You do have alternatives," he explained, "but these alternatives are not really clear when you're using a site like Twitter or Facebook."
— The Associated Press contributed to this report.