X (Twitter) — Data Breach

moderateAnti-PrivacyMay 13, 2019 → Oct 8, 2019Data Breach

Executive Summary

Twitter admitted that phone numbers and email addresses provided by users for two-factor authentication had been inadvertently used for advertising targeting since 2014. The company said it had matched security contact information to advertiser audience lists through its Tailored Audiences system, affecting an estimated 140 million users. This practice later formed the basis of the FTC's $150 million fine in 2022.

Post LinkedIn Reddit Email

data-collection advertising consent-decree

What Happened

Twitter disclosed on October 8, 2019 that it had been inadvertently using phone numbers and email addresses provided by users for two-factor authentication to serve targeted advertisements through its Tailored Audiences program since 2014. The company matched user security contact information against advertiser marketing lists, calling it an error that was fixed on September 17, 2019. Twitter did not initially disclose how many users were affected, though later reports estimated around 140 million users were impacted.

Who Is Affected

Twitter users who provided phone numbers or email addresses to enable two-factor authentication on their accounts were affected by having their security contact information used for advertising targeting. The practice impacted users globally over a five-year period from 2014 to 2019.

Why It Matters

This incident represents a breach of user trust where security information provided specifically to protect accounts was repurposed for commercial advertising without user consent. The practice mirrored a similar violation by Facebook that resulted in a $5 billion FTC fine, and Twitter's own incident ultimately led to a $150 million penalty in 2022. The misuse potentially discouraged users from enabling two-factor authentication, a critical security feature.

What You Should Do

Users should consider switching from phone-based two-factor authentication to authenticator app-based two-factor authentication on Twitter, which is more secure and less vulnerable to interception and SIM swapping attacks. Review your Twitter privacy and security settings to understand what contact information is associated with your account and how it may be used.

AI-Assisted

Event summaries are generated by Claude AI from verified sources and reviewed by humans before publication.

Sources

Related Events

X (Twitter) — EnforcementMay 25, 2022
The FTC fined Twitter $150 million for using phone numbers and email addresses c...