Twitter has said it used phone numbers and email addresses, provided by users to set up two-factor authentication on their accounts, to serve targeted ads.
In a disclosure Tuesday, the social media giant said it did not know how many users were impacted.
The issue stemmed from the company’s tailored audiences program, which allows companies to target advertisements against their own marketing lists, such as phone numbers and email addresses. But Twitter found that when advertisers uploaded their marketing lists, it matched Twitter users to the phone numbers and email addresses users submitted to set up two-factor authentication on their account.
The issue was addressed as of September 17, the disclosure said.
Twitter finds itself in the same boat as Facebook, which last year was caught using users’ phone numbers and email addresses, which they gave Facebook for securing their accounts, for targeted advertising.
For its part, Twitter said its ad targeting was “an error” and apologized.
It’s the latest in a number of security lapses at Twitter in the past year. Last year, the company admitted to storing passwords in plaintext, disclosed a phone number leak bug despite knowing about it for two years, and confirmed a location data leak in May.