The social network Twitter acknowledged using its users’ phone numbers —which were asked for security reasons— with promotional purposes. The company asked its users to provide their phone numbers and e-mail directions to improve their accounts’ protection; using the two-steps authentication process. However, this data ended up being used with specific advertising purposes, although Twitter ensures that it was “not intentional“.

The security failure offered the advertisers a group of users’ phone numbers, but their personal information was not revealed. However, the company does not know how many users were affected.

The American firm, which has more than 330 million users all around the world, fitted this event as a “mistake” and that the private data —provided for security reasons— was used “involuntarily“.

“We have discovered recently that when you provide an e-mail direction or a phone number for security reasons, for example, to use the two-steps verification system, this data may have been involuntarily used for advertising”, the company’s information sources pointed in a widespread communiquè, which also points that the problem has been solved.

The company is not authorized to use this personal information for other purposes than guaranteeing the users’ accounts through the two-steps authentication. The user provides an email or a phone number to receive a message with a verification code when trying to access a service. Consequently, entering the code is showing that it is the account’s owner and not another person who is trying to access that account.

Twitter ensures that no personal users’ data has been shared with third parties and that “they have discussed the problem that let this happen.” They claim that, since September 17, phone numbers and e-mail addresses are only requested for security reasons.

“Since September 17, we have addressed the problem that let this happen and we will no longer use the phone numbers or e-mail addresses, solicited for security purposes, for advertising. No personal data was shared with any of our partners“.

This error occurred as a result of the personalized audience program developed by Twitter, called Tailored Audiences. This program allows advertisers to lead their advertising campaigns based on their marketing lists. Then, the company discovered that, once these lists were uploaded, the telephone numbers and e-mail addresses that their users had previously entered were configured to set their profiles’ security.

The social network stepped up ensuring that the information was used in its “ad systems for partner audiences and personalized audiences”. The two-step authentication system is a security measure that has been spread in the last years in the main digital services to make it harder for cybercriminal groups to hack user accounts.

Twitter requires users to provide a valid phone number to enable second-factor protection, even when they do not want this code to reach them via SMS. This is the reason why the affected profiles had no option to avoid this.

“It was a mistake and we apologize”, Twitter said in its statement. “We are sorry that this has happened and we are taking steps to ensure that we cannot make this mistake again”, was declared. The social network apologized in similar terms in July, when it admitted that it could have shared user data from its mobile application, including country codes and ad impact data, with advertiser companies even when users “had not given permission ” to do it.

The two-step verification system data is “so sensitive” that “it must have restricted access”. “Personal data, in general, must be respected; it is a quality principle, which means that they are collected for a specific purpose and cannot be used for another. If you want to do it, you have to ask for consent that, for commercial communications, must be explicit”, said Samuel Parra, a data- protection-specialized lawyer.

It is not the first security problem that Twitter experiences in recent years. For example, in last year’s May, the company suffered an incident that exposed the passwords and private tweets of all users of the social network. Nor is it the first time that an important social network takes the information provided for security reasons and subsequently (silently or accidentally) uses it for a completely different thing.

Facebook, for example, did something similar last year. The company confirmed that it used the phone numbers provided by users (to activate the two-step verification) to improve the effectiveness of their shadow profiles, a practice used to save user data that has not been shared within the social network.

A problem that caused the sanction to Facebook by the Federal Trade Commission of the United States worth 5,000 million dollars earlier this year. It is ironic to think that, by providing a telephone number to increase the account’s security, the data ends up being used for other purposes; and, worst of all, that the user has no knowledge about it.