Twitter is only supposed to use phone numbers for two-factor authentication, but it appears to have been unintentionally used for more. The social network has learned that phone numbers and email addresses provided for safety and security (including two-factor authentication) might have "inadvertently" been used for ad purposes. Advertisers on Twitter can customize promos based on uploaded marketing lists, and Twitter may have matched people on those lists based on phone digits and email addresses that were supposed to be off-limits. "This was an error," Twitter said.
The company maintained that it never shared "personal data" with partners or other outsiders, and that it had resolved the problem as of September 17th. It's also "taking steps" to ensure this doesn't happen again. Twitter didn't know how many people might have been affected, though, and was reporting this primarily to be "transparent" about what happened.
This isn't likely to go over well with critics when Facebook caught flak just over a year earlier for using phone numbers for ad targeting. Whether or not Twitter intended to use phone numbers, the effect is the same -- it was using sensitive account details for ad targeting without users' knowledge or permission. Regulators may be concerned enough to take a look, especially since they just finished slapping Facebook with fines for its own less-than-careful approach to user data.