Twitter has acknowledged that user phone numbers and email addresses gathered for security purposes, as part of its two-factor authentication policy, may have been used to sell ads. It calls the move an accident.
The revelation is being widely criticized for its obvious breach of user privacy, particularly since it occurred via a scenario that was meant to bolster user security, not violate it.
In a post on its Help Center website, Twitter said that the company “recently discovered” that when users provided an email address or phone number for “safety or security purposes,” its Tailored Audiences and Partner Audiences advertising system may have “inadvertently” used the information for targeted advertising.
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware,” the company said. “No personal data was ever shared externally with our partners or any other third parties.”
Tailored Audiences allows advertisers to target ads to customers based on the advertiser’s own marketing lists—which include email addresses or phone numbers. Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.
What happened in the breach is that Twitter matched its users to advertisers’ marketing lists based on the email or phone number the Twitter account holder provided during two-factor authentication, the company said.
Twitter did not disclose exactly when they discovered what was happening but said that “as of Sept. 17,” the issue has been addressed.
Users and security experts alike are understandably perturbed about Twitter’s disclosure, not just because the company misused personal data handed over in a secure context, but also because it took them nearly a month to disclose the information.
Several critics compared Twitter’s abuse of data to Facebook’s data-privacy practices, which landed the social media giant with a $5 billion fine from the FTC.
“This is the same crap Facebook pulled,” Tweeted Fortune law and policy reporter John Roberts, who expects another tech giant like Google or Amazon to be the next one found abusing user data-collection techniques.
Indeed, data itself is proving time and again to be insecure in the hands of tech companies vowing to protect it, Tweeted Can Duruk, currently an Uber developer and technologist. He speculated that a “less is more” approach to providing internet companies with data may be a better option for consumers.
“Data is a liability, Twitter edition,” wrote Duruk, who specializes in human-computer interfaces. “Phone numbers stored for 2FA end up in advertising hellhole. The more you accrue, the more someone inside your org will find a way to abuse it.”
Even other technology providers weighed in on the breach, criticizing Twitter’s need for users to provide phone numbers and email addresses for two-factor authentication. Other companies use this type of authentication but don’t always require this step.
“Take less. Keep it safe. No secrets,” the developers of the Firefox browser Tweeted. “Sure, it’s our data promise, but it’s also our advice to other tech companies.” The Tweet included a link to a manifesto on user privacy that Mozilla Corp., the open-source company that develops and releases Firefox, posted on its website in June.
Matthew Green—an associate professor at Johns Hopkins University who teaches cryptography– put the dubious logic behind Twitter’s use of private data an added security measure most succinctly of all.
“In all seriousness: whose idea was it to use a valuable advertising identifier as an input to a security system,” he Tweeted. “This is like using raw meat to secure your tent against bears.”
What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.