Twitter has admitted using phone numbers provided for two-factor authentication (2FA), as well as user email addresses, for advertising purposes.
Although the 2FA phone number is supposed to be used exclusively for account security. However, Twitter admitted that some advertisers were able to use that information to target ads through its “Tailored Audiences” and “Partner Audiences” advertising systems.
We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again
The Tailored Audiences programme enables organisations to target adverts against their own marketing lists, including emails addresses and phone numbers.
According to Twitter, when advertisers uploaded their own marketing list of phone number and email addresses, Twitter’s software matched that list to Twitter users based on the 2FA details (phone number and email addresses) provided to them solely for security purposes.
The admission indicates that Twitter deliberately took users’ 2FA mobile phone numbers and repurposed them to help advertisers.
The company claims that the issue was fixed by 17th September, and users’ email addresses and phone numbers are now being collected only for security purposes. The company has no idea how many users were affected by the security glitch.
“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again,” claimed the company in a blog post.
It’s not yet known whether the mobile phone numbers of any users in the UK and Europe were exploited in this way. If they were, it would need to be reported to the company’s appropriate data protection registrar in the European Union with the company subject to a major fine – and the risk of a class-action lawsuit.
The incident is just the latest is a series of security lapses at Twitter in recent years.
Last month, the company said that it was disabling its tweet via SMS feature. This had been a known security flaw for some time, but was only taken down after the account of Twitter CEO Jack Dorsey was compromised.
Last year, the company advised its nearly 330 million users to change their passwords immediately after discovering that a bug was exposing user passwords in plain text. Twitter also revealed a phone number leak flaw despite knowing about it for about two years.
Earlier in 2017, thousands of Twitter accounts were compromised by Turkish hackers to broadcast ‘Nazi’ tweets, with the finger of blame pointed at the Twitter Counter app.
And in 2015, Russian government-backed hackers used Twitter to breach networks of US government and defence industry computer systems and distributed malware to their targets.
The admission further undermines the use of 2FA for security for commercial websites – especially after Facebook also admitted mis-using 2FA mobile phone numbers.
The idea of two-factor authentication is to provide another layer of security in addition to the password, based on the principle that authentication ought to be supported by:
1. Something you know;
2. Something you have;
3. Something you are.
Biometrics provides the third factor. With 2FA, hackers can’t take over an account unless they have access to the user’s phone number, raising the difficulty level for attackers.