Twitter said it accidentally used information submitted for security purposes, including two-factor authentication, in its ad targeting system, raising privacy concerns for users.
According to a blog post published yesterday, Twitter 2FA data, including user email addresses and phone numbers, “may have inadvertently been used for advertising purposes.”
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties. As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising,” Twitter wrote in the blog post. “We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”
The company did not say how long the Twitter 2FA data was being misused and a spokesperson did not clarify. However, a Twitter spokesperson did explain that it took three weeks between fixing the issue and disclosing it because the company wanted to ensure it was fully corrected and no other parts of the service were impacted.
Infosec professionals like Katerina Borodina, a security lead based in Sydney, recommended users use alternative 2FA methods.
Security tip: I recommend using apps like Authy or Google Authenticator for 2FA instead of SMS. It protects against sim swaps, and makes it harder for exploitative companies like Twitter to sell your info. https://t.co/k9VvRnk8IT
— Katerina Borodina (@kathyra_)
October 8, 2019
Others noted that a phone number is required to enable Twitter 2FA, even if using an authenticator app is set as the primary verification method. Twitter’s spokesperson acknowledged this frustration and told SearchSecurity that Twitter recognizes tying the use of 2FA to a phone number is not ideal and the company is working toward decoupling the two going forward.
Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation, expressed concern on Twitter that this issue would undermine 2FA adoption in general.
Oops! Twitter “unintentionally” used the information it got from you to secure your account in order to make money. This kind of behavior undermines people’s willingness to use 2FA and makes them less secure in the long run. https://t.co/8vvVPwXLTs
— Eva (@evacide)
October 8, 2019
2FA and advertising privacy
The announcement of the Twitter 2FA issue came two months after the company admitted it had used data for advertising purposes without permission. The company said certain data had been shared with advertising partners without permission from May 2018 to Aug. 2019; and ads were targeted based on mobile device information from Sept. 2018 to Aug. 2019 even if the user did not give permission for that activity.
This issue for Twitter also comes approximately one year after Facebook was found using 2FA phone numbers for advertising purposes. Facebook was forced to admit the practice following a research paper and report finding advertisers were able to target 2FA phone numbers within weeks of the number being added to an account.
Misuse of 2FA information such as users mobile numbers have added to concerns about SMS-based 2FA, which security experts said is vulnerable to a variety of attacks. In 2016, the U.S. National Institute of Standards and Technology announced plans to deprecate the use of SMS-based 2FA.