What just happened? The Federal Trade Commission (FTC) has fined Twitter $150 million over "deceptive" ad practices that used email addresses and phone numbers submitted for account security purposes, such as two-factor authentication, for targeted ads. Twitter maintains that what happened was an error.

It was reported in 2019 that the scheme used Twitter's Tailored Audiences and Partner Audiences advertising systems, which allow advertisers to target ads to customers based on either their own custom contact lists or those provided by a third party.

Twitter admitted that users' emails and phone numbers were "inadvertently" used for ad targeting in its system. "When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize," the company wrote at the time.

We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes. This is no longer happening and we wanted to give you more clarity around the situation: https://t.co/bBLQHwDHeQ

— Twitter Support (@TwitterSupport) October 8, 2019

Twitter never said how many users may have been affected. FTC Chair Lina M. Khan puts the number at over 140 million people, between 2014 and 2019.

Whether it was an error or not, the FTC notes that Twitter's actions violate a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. As such, Twitter must pay a $150 million fine and is banned from profiting from the deceptively collected data. The amount reflects that seriousness of the matter and is intended to prevent further similar tactics that could threaten users' privacy, writes the FTC.

Twitter must also notify all 140+ million users whose numbers and emails were collected for account security and were used for targeted ads. It must also offer two-factor authentication methods that don't require phone numbers, which it started doing in 2019, limit employee access to users' personal data, and notify the FTC if it experiences a data breach.