Does Twitter utilize the user's two faced authentication phone number for marketing purposes?

In case if one is somehow unaware, two-factor authentication is the only way how one should protect their most important accounts from being misused. Many people are too lazy to set it up, but it has to be done. It is not an ultimate security (Twitter's recent big hack routed around 2FA protections), but it is many times better than just relying on a username and password. In the early days of 2FA, one common way to implement it was to use text messaging as the second factor. That is, when one tried to login on a new machine (or after a certain interval of time), the service would have to text them a code that they would need to enter to prove that they were themselves.

Over time, people realized that this method was less secure. Many hacks involved people "SIM swapping" (using social engineering to have your phone number ported over to them), and then getting the 2FA code sent to the hacker. These days, good 2FA usually involves using an authenticator app, like Google Authenticator or Twilio's Authy or even better a physical key such as the Yubikey or Google's Titan Key.

But using phone numbers given for 2FA purposes for notifications or marketing is really bad. First of all, it undermines trust -- which is the last thing one want to do when dealing with a security mechanism. People handed over these phone numbers/emails for a very specific and delineated reason: to better protect their account. To then share that phone number or email with the marketing team is a massive violation in trust. And it serves to undermine the entire concept of two factor authentication, in that many users will become less willing to make use of 2FA, fearing how the numbers might be abused.

As we noted when Facebook received the mammoth $5 billion fine from the FTC a year ago, while the media focused almost entirely on the Cambridge Analytica situation as the reason for the fine, if one actually reads the FTC's settlement documents, it was other things that really caused the FTC to move, including Facebook's use of 2FA phone numbers for marketing. Facebook had to face stern results for that.

And now it's Twitter's turn. Twitter has revealed that the FTC is preparing to fine the company $150 million to $250 million for this practice -- noting that it violated the terms of an earlier consent decree with the FTC in 2011, where the company promised not to mislead users about how it handled personal information. Yet, for years, Twitter used the phone numbers and emails provided for 2FA to help target ads (basically using the phone number/email as an identifier for targeting).

There's no explanation for this other than really bad handling of data at Twitter, and the company should be punished for it. There are many things Twitter gets unfairly blamed for, but a practice like this is both bad and dangerous, and large fines from the FTC to convince companies to never do this kind of thing again is the only solution.