Twitter has apologised for “unintentionally” using email addresses and phone numbers, provided by users for account security, to enable targeted advertising.
The company said third-party marketers may have been able to reach specific users on Twitter based on contact details, even if the user had not wished the information be used this way.
In a statement, Twitter said it “cannot say with certainty how many people were impacted”, but the BBC understands it affects users globally.
Unusually, the company is not proactively contacting customers directly to inform them of the breach.
The company would not say when it discovered the issue, but said it had addressed the problem “as of September 17” – 21 days ago.
The firm said it was “no longer using phone numbers or email addresses collected for safety or security purposes for advertising”.
Twitter, which has its European headquarters in Dublin, would not confirm whether or not it had notified the Irish Data Protection Commissioner, other than to say it was communicating with regulators “where appropriate”.
Under Europe’s General Data Protection Regulation (GDPR), users must be informed if data is used for a purpose other than what it was intended for.
Twitter says it has 139 million users that use the platform every day and are served with adverts.
The issue involves a system Twitter offers advertisers whereby they can match their own database of customer email addresses – gathered independently from Twitter – with users on Twitter that use the same email address.
The practice – common across social networks – allows for highly targeted advertising designed to reach users who are likely already familiar with the brand or product.
However, what Twitter revealed in its statement on Tuesday was that this email matching was referencing addresses that users had submitted solely for the purpose of enhancing their account security by adding two-factor authentication.
This is a method that adds a second level of security – such as getting a text message with a log-in code – to prevent malicious actors from being able to use a person’s credentials.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” the company explained.
“This was an error and we apologise.”
In March, Facebook was highly criticised for using numbers and email addresses submitted for two-factor authentication to target advertising. Unlike Twitter, however, Facebook did not consider the behaviour to be mistake.
But, in handing down its record-breaking $5bn fine, the US Federal Trade Commission said Facebook must stop using “the phone numbers it obtained specifically for security” to power its advertising platform.