Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
We’re currently migrating Naked Security to the Sophos News platform to provide all our blogs in one place.

Twitter used 2FA phone numbers for targeted advertising

10 Oct 2019 3 Facebook, Privacy, Social networks, Twitter

Post navigation

Previous: California outlaws facial recognition in police bodycams
Next: Apple removes app that tracks Hong Kong police and protestors
by John E Dunn

Does Twitter know your email address and your phone number?

Depending on how long ago you started using Twitter, it’s a near certainty the company has at least one of these – the email address – because people often hand that over when registering.

As for phone numbers (usually mobile numbers) these are entered to enable Twitter’s two-factor authentication (2FA) security, Login Verification.

We mention this because Twitter this week made the you have to be kidding admission that it might have “inadvertently” handed this data from some users to advertisers as part of the company’s Tailored Audiences system that targets users’ feeds with ads.

As apologies go, this one is unsatisfactory, particularly if you like Twitter but think ‘targeted’ ads sound intrusive:

We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.

Twitter glosses over some of the detail so let’s explain how Tailored Audiences is supposed to work.

Well-tailored

As many Twitter users will already know to their chagrin, Twitter posts ads to people’s feeds in the form of Promoted Tweets.

The advertiser logs into their ad account, chooses the Twitter demographic it wants to reach (country, language, device type, gender, and people who’ve tweeted about topics that interest the advertiser). The ad then appears in the feed of users meeting these criteria.

However, Twitter’s admission relates to a second type of targeting that sounds incredibly similar to what Facebook was accused of doing a year ago – allowing advertisers to match Twitter’s data to their own databases not simply to target uses but, hypothetically, to identify them too.

24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.
Learn More

What Twitter describes as being “inadvertent” is in fact described quite explicitly on its website on a page for advertisers.

The advertiser logs into their ad account, this time uploading their own user list which is then matched to Twitter users with the same email addresses and mobile numbers (Android or iOS advertising IDs and Twitter handles can also be used).

So, when the ad appears in someone’s feed, it’s been put there because the advertiser already knows something about that person and believes the message will be better received.

Owning up

Twitter said that as of 17 September, it no longer allowed access to mobile numbers or email addresses (the latter of which can still be used by other Twitter users to hunt for you unless you turn that feature off).

We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.

Of course, the fact that Twitter didn’t let advertisers see phone numbers and email addresses is moot if advertisers might be able to infer this by matching their databases with its.

The involvement of mobile numbers entered by users to enable security is unfortunate, but we wouldn’t advise removing this data in case it proves useful should an account recovery become necessary.

Twitter has no plans to tell users if they’re part of this mini-scandal. For now, users who want to know more should contact the company using its data protection query page.

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: California outlaws facial recognition in police bodycams
Next: Apple removes app that tracks Hong Kong police and protestors

3 comments on “Twitter used 2FA phone numbers for targeted advertising”

  1. Mahhn says:
    October 10, 2019 at 2:09 pm

    People will figure it out eventually, services like twitter are like cattle ranches. The difference is people are voluntarily walking into the ranch to become cattle. Your PII and time (seeing adds) is being sold, which is why the farmer is there in the first place.

    Reply
  2. TwoFer says:
    October 10, 2019 at 4:42 pm

    So for 2FA etc
    Throw-away email address through someone like Blur
    Burner phone brought for cash from Argos
    PAYG Sim brought for cash from Tesco
    That’s twitter (well one of my twitter accounts) dealt with
    Now what if Google (the great data aggregator) wants the same?
    If I use the above they could link my Twitter account to my Google Account?
    So
    Throw-away email address through someone like Blur
    Burner phone brought for cash from Argos
    PAYG Sim brought for cash from Tesco
    Where does it end?

    Reply
  3. Samantha says:
    October 11, 2019 at 4:49 pm

    it ends with everyone remembering we lived perfectly well enough thank you without Twatter, FaceTube et al, and walking away to leave them crumbling into digital dust behind…..

    Reply

What do you think? Cancel reply

Recommended reads

Jul11
by Paul Ducklin
10

Apple silently pulls its latest zero-day update – what now?

Jul25
by Paul Ducklin
3

Apple ships that recent “Rapid Response” spyware patch to everyone, fixes a second zero-day

Jul03
by Paul Ducklin
6

WordPress plugin lets users become admins – Patch early, patch often!

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP