Twitter says it ‘inadvertently’ used two-factor email addresses, phone numbers for targeted ads

Targeted advertisements are a nuisance at best, and something else entirely at worst. They have put Facebook and other companies in hot water in the past, especially in how they are implemented, and now Twitter is confirming it hasn’t handled things in this regard all that well.

In a statement made today on Twitter’s website, the social network/news fire hose confirmed that it “inadvertently” used the email addresses and/or phone numbers used for security purposes, like two-factor authentication, as a means to deploy targeted advertisements for those individuals.

Twitter says the information was used for Tailored Audiences and the company’s Partners Audiences advertising system:

Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser’s own marketing lists (e.g., email addresses or phone numbers they have compiled). Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners. When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.

Twitter says that, at this stage, it’s unable to determine just how many users were affected by this. However, in an effort to be transparent, it’s simply letting everyone know what’s happened. It does note that no personal data was ever shared with third-party companies or advertising companies, whether they were official partners or not.

Twitter also says it has fixed the problem, as of September 17:

As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.

The fact that Twitter says it doesn’t know how many people were impacted by this is one thing, but the fact that the company is trying to tout its “transparency” so long after its initial discovery is interesting. The fact that they patched the issue in the middle of September suggests they’ve known about it for quite some time, and now, weeks after fixing it, they’re finally letting people know.

That’s probably better than nothing, right? What do you think?