The Twitter logo

Twitter is being investigated by the Federal Trade Commission for improperly allowing consumers’ email addresses and phone numbers to be used for targeting ads.

Twitter announced the investigation, which was first reported by the New York Times, in a Securities and Exchange Commission filing on Monday. On Tuesday, the FTC confirmed to Consumer Reports that it does have an open investigation into Twitter, but the agency didn’t give further details.

Consumer contact information is collected by Twitter for security, including two-factor authentication, which requires anyone logging in to an account to enter a second form of identification, such as a one-time passcode. That’s meant to protect consumers from hackers.

The company said last fall that some of the information “may have inadvertently been used” to let advertisers target specific types of people for marketing messages. The problem allegedly persisted from 2013 to 2019.

In the SEC filing, Twitter says it received a draft complaint from the FTC late last month. The misuse of data could put Twitter in violation of a 2011 FTC consent decree, which stemmed from two incidents in 2009 where hackers were able to take administrative control of Twitter and access private consumer information, as well as send out fake tweets from consumer accounts.

More on Data Security & Privacy

The FTC charged at the time that the incidents had stemmed from “serious lapses” in Twitter’s data security. Under the terms of the resulting settlement, Twitter was barred for 20 years from misleading consumers about the extent to which it protects the security and privacy of their information. And it was required to put in place a comprehensive digital security program that could be independently audited for the next decade.

Ignoring these kinds of warnings can result in FTC fines. And, as a result of the current investigation, Twitter says that it could face fines totaling between $150 million and $250 million.

Twitter recently came under fire for its data security practices after hackers managed to take control of the accounts of several famous people, including Barack Obama, Kanye West, Joe Biden, and Jeff Bezos, as part of a bitcoin scam. A Florida teenager was recently charged with 30 felonies in the attack.

And Twitter isn’t the only social media network to have its data security practices scrutinized by the FTC. In 2019, Facebook paid a $5 billion FTC fine to settle charges of consumer privacy violations.