Twitter is potentially facing a hefty fine from the U.S. Federal Trade Commission (FTC) for the improper use of users’ phone numbers and email addresses. On Monday, the social media giant said that the fine, which could reach up to $250 million, would come for violations of Twitter’s 2011 agreement with the FTC over consumer privacy.
In a corporate filing, Twitter reported that the agency started its investigation last October after the company announced that it had linked a database of its users’ personal information, including phone numbers and email addresses, with a system used by advertising partners.
According to Twitter, the practice ran from 2013 to 2019, in which the company used information provided by users for security purposes to help target ads. While Twitter has said that it was done “inadvertently,” the FTC ultimately believes that the practice may have violated the terms of the agreement.
In 2011, Twitter had agreed to a settlement with the FTC after hackers were able to take over the social networking site, which allowed them to access private information and even send out phony tweets. Under the agreement, Twitter was prohibited from misleading consumers about the extent of its security and privacy measures.
“The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” the company said in its corporate filing.
The FTC had sent its draft complaint on July 28, according to a spokesperson for Twitter. In addition, the social networking site had disclosed the investigation in accordance with “standard accounting rules” and included it in a filing with the Securities and Exchange Commission.
2FA information used for targeted advertising
Twitter’s latest controversy comes over its handling of information for its two-factor authentication (2FA). The process, which requires users to provide two different authentication factors to identify themselves, adds an additional layer of security during login. Most of the sites you log into—Facebook, Google, Instagram and LinkedIn, among others—offer 2FA, and popular password managers offer them by default.
To set up 2FA for Twitter, the site requires users to provide their phone numbers, so it can add another step in the login process. This allows users to receive a text after logging in using their password, which they will type in their device to gain access to their account. In Twitter’s case, however, these numbers ended up in a system that allowed advertisers to target their ads to specific audiences. According to the company, the number of people affected is still unclear. (Read: Twitter to give more details about verification)
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” explained Twitter in an October blog post, which also announced the incident. “This was an error and we apologize.”
Just last month, Twitter landed in hot water after hackers took over Twitter accounts, sending tweets to gain bitcoin. Even worse, the compromised accounts included those from prominent personalities, such as former president Barack Obama and reality TV star Kim Kardashian West. Three people, including a Florida teenager whom authorities have identified as the mastermind, have been arrested and charged with the breach.