Skip to content
Naked Security Naked Security

Twitter may have shared your data with its ad partners without your permission

Some user data, such as country and device type, was exposed to some advertisers for over a year.

Twitter may have been sharing some users’ data without their say-so, it announced.

There are two issues, both related to Twitter finding out that it’s been ignoring user preferences for how our data gets used and/or shared. As of Monday, both problems had been fixed.

Glitch No. 1: Sharing data without permission

The first bug has been active since May 2018. It had to do with users clicking or viewing an ad for a mobile app and then interacting with that app. If you did, Twitter says it may have shared certain data about you – for example, your country code, your device type, and information about the ad and when you interacted with it.

Even if you didn’t give it permission to share your data, it may have done so, passing it along to the business partners that it uses for ad tracking and measurement.

This is a full list of user data that was exposed, and these are the partners who may have gotten the information.

Twitter didn’t identify which mobile app(s) triggered the bug. Nor did it say how many users were affected. Its investigation is ongoing, Twitter said, and once it finds out more details such as number of affected users, it will let us know:

We know you will want to know if you were personally affected, and how many people in total were involved. We are still conducting our investigation to determine who may have been impacted and if we discover more information that is useful we will share it.

Glitch No. 2: Showing device-specific ads without permission

Twitter says that it messed up on a second issue starting in September 2018. This one has to do with a process it uses to tailor ads. It may have shown some users ads based on “inferences” it made about the devices you use, again without your say-so.

This time, the data stayed within Twitter instead of getting shared with its partners. It didn’t contain anything highly sensitive, such as passwords or email accounts.

As Twitter explains on this page about personalization, when you log in to Twitter on a browser or device, it associates that browser or device with your Twitter account. Even when you’re not logged in to Twitter, it may also get information about your devices or browsers. For example, one of its partners might share the information, or you might visit, or you might visit one of its advertiser’s sites or use their mobile apps.

Most commonly, it will use your IP address and the time that it got the information and will infer that certain browsers or devices are associated with one another or with your account.

In order to personalize your Twitter experience, the platform figures out what browsers and devices are associated with your account. For example, if you use Twitter on Android around the same time and from the same network where you browse sports websites with embedded Tweets on a computer, Twitter might infer that that Android device is related to your laptop and will then suggest sports-related content, such as sports-related ads and Tweets, on your Android device. It makes similar inferences relating to your email addresses, which may share first names, last names or initials, and will later serve you advertisements from advertisers that were trying to reach email addresses with those elements.

You’re supposed to be able to control whether Twitter does all this. (You can customize your personalization and data settings here.) You should be able to customize whether or not it can make inferences based on the browsers or devices you use when you’re not actually logged in to Twitter, or the email addresses and phone numbers that are similar to the ones that you’ve linked to your Twitter account.

Well, oops redux. That problem, like the data-sharing with partners one, was fixed as of Monday.

What to do?

Nothing. Twitter says it doesn’t believe you need to do anything, besides check your settings.

But these are not the first Twitter “oopses” of the year.

A few months ago – May 2019 – Twitter aditted to a similar sharing gaffe with a partner: it had been mistakenly collecting and sharing some iOS accounts’ location data with one of its partners, even if a user hadn’t opted in to sharing the data.

Before that – January 2019 – Android users had their own run-in with mistaken, unauthorized sharing. Twitter said that it found a bug that exposed some Android private tweets to public view. That one went unnoticed for more than 4 years.


“Twitter admitted to senators that it was still allowing external app developers to access its users’ Gmail accounts”
Was Twitter really doing that??


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!