At this point, it’s painfully unsurprising to hear new examples of tech companies misusing customer data. But a particularly shameful version of the story has become increasingly common: services pulling phone numbers and other data used for two-factor authentication into their marketing databases. On Tuesday, Twitter became the latest tech giant to join those ranks.
The company said in a statement that it accidentally ingested phone numbers and email addresses collected for security measures like two-factor into two of its advertising systems, called Tailored Audiences and Partner Audiences. The company didn’t give the information directly to marketers, but used it to help them target ads to Twitter users. Twitter stopped the data bleed on September 17, three weeks before coming forward about it. It’s not clear for how long the improper sharing had taken place prior, and Twitter says it doesn’t know how many users were affected.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize,” the company wrote in its statement. “We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”
A Twitter spokesperson told WIRED that the company doesn’t have further comment on what internal issue caused the mix-up. In September 2018, Facebook admitted that it, too, had used phone numbers customers had shared to set up two-factor authentication for marketing and customization. The Federal Trade Commission fined Facebook a record $5 billion in July over numerous instances of user data mishandling.
And Twitter has committed its own user privacy sins. In May 2018, for example, the company announced that it had mistakenly stored some user passwords unprotected in plaintext in an internal logging system. The incident thankfully doesn’t seem to have resulted in a full-on data breach, but it was a major misstep in handling a crucial piece of user data.
Real Life. Real News. Real Voices
Help us tell more of the stories that matterBecome a founding member
Bugs and mistakes happen, but when it comes to misuse of information users provide for security services, it’s especially obvious that companies aren’t prioritizing user privacy and security ahead of their business goals. Controlling and protecting such a limited, well-defined, and unambiguous data set should be easily manageable for any large tech company.
“If you wanted to secure the phone numbers you’d just put them in a database table called ‘2FA numbers don’t sell to marketers,'” says Matthew Green, a cryptographer at Johns Hopkins University. “This stuff is like a bank leaving customers’ money lying around and then spending it on snacks. Obviously that could happen. We just try to prevent it from happening because, you know, ethics.”