In the FTC order, the commission states that Twitter had access to personal data from more than 140 million users in just the 2014 – 2019 period, which it then shared with advertisers. This was at a time when Twitter’s terms and conditions explicitly stated to its users that this information would be used for the sole purpose of securing their accounts.
According to the FTC and the United States Department of Justice, Twitter began sharing user data with advertisers in 2013 — around the same time it started allowing users to add their phone numbers for two-factor authentication. Before being called out by the FTC, Twitter maintained that it collected phone numbers and email addresses for the purpose of improving account security. Users could, for example, easily reset their passwords, or unlock their accounts using a verified phone number or email address.
While the average Twitter user likely assumed their phone number and associated data were secure with Twitter, the company disregarded the trust users placed with them and shared this data with advertisers, the FTC orders states.