Twitter 2FA phone numbers “inadvertently” used for advertising purposes

Twitter’s Support account published the following announcement on Tuesday:

Then, in the linked post, they proceeded not to give a lot of clarity.

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system,” the company said.

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware.”

Was it just one advertiser or more of them? Does this mean that the advertiser(s) gets to “keep” this information? If it doesn’t, how can Twitter be sure that the information is unmatched/scrubbed? Twitter says this was done in error – how is that possible? What guarantees do users have it won’t happen again? Which users’ information was affected by this error? Should anyone who has entered their phone number or email address to set up 2FA assume their info has been shared? How long was this going on?

They couldn’t have been more vague than they were.

Disgruntled users doubt it was an error

The announcement has spurred many users to comment, the majority of which have made it clear that they don’t believe the “error” happened “unintentionally”.

Cryptography professor and vocal security advocate Matthew Green linked Twitter’s “error” to Facebook’s 2018 decision to use the phone numbers users provided for 2-factor authentication (2FA) to spam users with ads. He also posited that, based on the blowback from this move, Twitter will decide whether or not to go ahead with using 2FA numbers “for all its product priorities.”

EFF’s Director of Cybersecurity Eva Galperin lamented that “kind of behavior undermines people’s willingness to use 2FA and makes them less secure in the long run.”

Twitter requires users to share their phone number if they want to enable 2FA on their accounts, whether they opt for SMS-based delivery of the second token, software-based TOTP apps (e.g., Google Authenticator), or a physical security key.

The latter two options should not require Twitter to know the user’s phone number but, nevertheless, Twitter insists upon it: if you remove the phone number from your account, the company immediately switches off 2FA (or, as they call it, login verification).

Although the flaws of SMS-based 2FA are known and increasingly being exploited by attackers via social engineering and weaknesses in the SS7 telephony signaling protocols, any form of multi-factor authentication (MFA) takes users out of reach of most attacks, so any option is better than using just a password.

Too many users are still not convinced about 2FA’s advantages or are not tech-savvy enough to use it, so it is unfortunate that companies such as Facebook and Twitter are not doing more to prevent “errors” such as these from happening and undermining the currently limited willingness to implement 2FA.

Don't miss