Stop us if you’ve heard this before: you give a tech company your personal information in order to use two-factor authentication, and later find out that they were using that security information for targeted advertising.

That’s exactly what Twitter fessed up to yesterday in an understated blog post: the company has been taking email addresses and phone numbers that users provided for “safety and security purposes” like two-factor authentication, and using them for its ad tracking systems, known as Tailored Audiences and Partner Audiences.

Twitter claims this was an “unintentional,” “inadvertent” mistake. But whether this was avarice or incompetence on Twitter’s part, the result confirms some users’ worst fears: that taking advantage of a bread-and-butter security measure could expose them to privacy violations. Twitter’s abuse of phone numbers for ad tracking threatens to undermine people’s trust in the critical protections that two-factor authentication offers.

How Did Your 2FA Phone Number End Up in Twitter’s Ad Tracking Systems?!

Here’s how it works. Two-factor authentication (2FA) lets you log in, or “authenticate,” your identity with another piece of information, or “factor,” in addition to your password. It sometimes goes by different names on different platforms—Twitter calls it “login verification.”

There are many different types of 2FA. SMS-based 2FA involves receiving a text with a code that you enter along with your password when you log in. Since it relies on SMS text messages, this type of 2FA requires a phone number. Other types of 2FA—like authenticator apps and hardware tokens—do not require a phone number to work.

No matter what type of 2FA you choose, however, Twitter makes you hand over your phone number anyway. (Twitter now also requires a phone number for new accounts.) And that pushes users who need 2FA security the most into an unnecessary and painful choice between giving up an important security feature or surrendering part of their privacy.

In this case, security phone numbers and email addresses got swept up into two of Twitter’s ad systems: Tailored Audiences, a tool to let an advertiser target Twitter users based on their own marketing list, and Partner Audiences, which lets an advertiser target users based on other advertisers’ marketing lists. Twitter claims the “error” occurred in matching people on Twitter to these marketing lists based on phone numbers or emails they provided for “safety and security purposes.”

Twitter doesn’t say what they mean by “safety and security purposes,” but it is not necessarily limited to 2FA. In addition to 2FA information, it could potentially include the phone number you have to provide to unlock your account if Twitter has incorrectly marked it as a bot. Since Twitter forces many people into providing such a phone number to regain access to their account, it would be particularly pernicious if Twitter was using phone numbers gathered from that system for advertising.

What We Don't Know

Twitter’s post downplays the problem, leaving out numbers about the scope of the harm, and details about who was affected and for how long. For instance, if Twitter locked you out of your account and required that you add a phone number to get back in, was your phone number misused for advertising? If Twitter required you to add a phone number when you signed up, for anti-spam purposes, was your phone number misused? When is an email address considered “fair game” for ad targeting and when is it not?

Twitter claims it “cannot say with certainty how many people were impacted by this.” That may be true if they are trying to parse finely who actually received an ad. But that’s an excessively narrow view of “impact.” Every user whose phone number was included in this inappropriate targeting should be considered impacted, and Twitter should disclose that number.

2FA is Not the Problem

Based on what we know, and what else we can reasonably guess about how Twitter users’ security information was misused for ad tracking, Twitter’s explanation stretches the meaning of “unintentionally.” After all, the targeted advertising business model embraced by Twitter (and by most other large social media companies) incentivizes ad technology teams to scoop up data from as many places as they can get away with—and sometimes they can get away with quite a lot.

The important conclusion for users is: this is not a reason to turn off or avoid 2FA. The problem here is not 2FA. Instead, the problem is how Twitter and other companies have misused users’ information with no regard for their reasonable security and privacy expectations.

What Next

Twitter needs to come clean about exactly what happened, when, and to how many people. It needs to explain what processes it is putting in place to ensure this doesn’t happen again. And it needs to implement 2FA methods that do not require giving Twitter your phone number.