At this point, it’s painfully unsurprising to hear new examples of tech companies misusing customer data. But a particularly shameful version of the story has become increasingly common: services pulling phone numbers and other data used for two-factor authentication into their marketing databases. On Tuesday, Twitter became the latest tech giant to join those ranks.
In a statement, Twitter revealed that this was “inadvertently” done by its Tailored Audiences advertising program.
“We recently discovered that when you provided an email address or phone number for safety or security purposes,” the statement explains, “this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system.”
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize,” the company wrote in its statement. “We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”
Facebook admitted that it, too, had used phone numbers customers had shared to set up two-factor authentication for marketing and customization. The Federal Trade Commission fined Facebook a record $5 billion in July over numerous instances of user data mishandling.
Bugs and mistakes happen, but when it comes to misuse of information users provide for security services, it’s especially obvious that companies aren’t prioritizing user privacy and security ahead of their business goals.
“If you wanted to secure the phone numbers you’d just put them in a database table called ‘2FA numbers don’t sell to marketers,'” says Matthew Green, a cryptographer at Johns Hopkins University. “This stuff is like a bank leaving customers’ money lying around and then spending it on snacks. Obviously that could happen. We just try to prevent it from happening because, you know, ethics.”
This isn’t the first time this type of violation has occurred, and it won’t be the last. But let it be a reminder that every time you give your data to a company, no matter what they say it’s for, it could end up being used for other purposes—specifically, other profit-driven purposes.
Twitter says that it has “addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”