Enlarge (credit: Twitter)

If ever there was a surefire way to sour users against a two-factor authentication system that was already highly flawed, Twitter has found it. On Tuesday, the social media site said that it used phone numbers and email addresses provided for 2FA protection to tailor ads to users.

Twitter requires users to provide a valid phone number to be eligible for 2FA protection. A working cell phone number is mandatory even when users’ 2FA protection is based solely on security keys or authenticator apps, which don’t rely on phone numbers to work. Deleting a phone number from a user’s Twitter settings immediately withdraws account from Twitter 2FA, as I confirmed just prior to publishing this post.

Security and privacy advocates have long grumbled about this requirement, which isn’t a condition of using 2FA protection from Google, Github, and other top-ranked sites. On Tuesday, Twitter gave critics a new reason to complain. The site said it may have inadvertently used email addresses and phone numbers provided for 2FA and other security purposes to match users to marketing lists provided by advertisers. Twitter didn’t say if the number of users affected by the blunder affected was in the hundreds or the millions or how long the improper targeting lasted.