Twitter Reveals User Security Data Was Accessible by Advertisers

Twitter dataTwitter admitted this week that user account security data may have been used for targeting by advertisers.

Advertisers who use the social media platform’s Tailored Audiences and Partner Audiences systems inadvertently may have been able to access users’ email addresses or phone numbers that were provided for security or two-factor authentication purposes, Twitter said in a statement.

No personal data was shared externally with partners or other third parties, said Twitter, adding that they cannot say with certainty how many people were impacted.

While the breach was only publicly announced this week, Twitter said “the issue that allowed this to occur” had been addressed, and this information is no longer being used for advertising.

Tailored Audiences allows advertisers to target ads to customers based on the advertiser’s own marketing lists, while Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” said the statement. “This was an error and we apologize.”


You May Also Enjoy:

Depending on where Twitter users are globally, they may very well have legal recourse, notes Forbes. The EU’s Global Data Protection Regulation (GDPR), for example, has severe penalties for not only unauthorized use of data, but for not identifying authorities or data owners of breaches.

Separately, on Monday, CNBC reported that Ireland’s Data Protection Commission (DPC) had completed investigations into Facebook’s WhatsApp and Twitter over possible EU data privacy regulations. Companies can reportedly be fined up to four percent of their global annual revenues for violations of GDPR.

Because many big tech companies—such as Twitter, Facebook, Apple and Google—have their EU headquarters in Ireland, the Irish DPC supervises these companies under GDPR. It has opened more than a dozen investigations into such firms.