Twitter has apologised for “unintentionally” using email addresses and phone numbers, provided by users for account security, to enable targeted advertising.
The company said third-party marketers may have been able to reach specific users on Twitter based on contact details, even if the user had not wished the information be used this way.
In a statement, Twitter said it “cannot say with certainty how many people were impacted”, but the BBC understands it affects users globally.
Unusually, the company is not proactively contacting customers directly to inform them of the breach.
The company would not say when it discovered the issue, but said it had addressed the problem “as of September 17” – 21 days ago.
The firm said it was “no longer using phone numbers or email addresses collected for safety or security purposes for advertising”.
Twitter, which has its European headquarters in Dublin, would not confirm whether or not it had notified the Irish Data Protection Commissioner, other than to say it was communicating with regulators “where appropriate”.
Under Europe’s General Data Protection Regulation (GDPR), users must be informed if data is used for a purpose other than what it was intended for.
Twitter says it has 139 million users that use the platform every day and are served with adverts.
