OAKLAND, Calif. — Twitter said on Monday that it was under investigation by the Federal Trade Commission for potentially misusing people’s personal information to serve ads, adding that it faced fines of $150 million to $250 million.
In a corporate filing, Twitter disclosed that the F.T.C. began the investigation last October after it had linked a database of its users’ personal information, which it had for security purposes, with a system used by advertising partners.
The action, which Twitter said was inadvertent, may have violated a 2011 agreement that the company signed with the F.T.C. over consumer privacy. At the time, Twitter had agreed to a settlement with the agency after hackers had gained administrative control of the social media service on multiple occasions. Under the agreement, Twitter was restricted from misleading people about the measures it took to protect their security and privacy.
An F.T.C. spokeswoman declined to comment on the investigation.
Brandon Borrman, a Twitter spokesman, said the company was contacted by the F.T.C. after it reported quarterly financial results on July 23. The investigation was disclosed in accordance with “standard accounting rules” and was included in a filing with the Securities and Exchange Commission, he added.
Twitter encourages people to provide their phone numbers so that it can add a second step to the login process, called two-factor authentication, which ensures that users receive a text message before gaining access to their own account. But the phone numbers also ended up in a system that allowed advertisers to tailor their ads to specific audiences, the company said. It was unclear how many people were affected, Twitter said.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” the company said in an October blog post that disclosed the incident. “This was an error and we apologize.”
Twitter’s security practices have recently been under scrutiny for other reasons. Last month, hackers took over dozens of Twitter accounts and sent tweets from the accounts of prominent individuals, including former President Barack Obama and the reality TV star Kim Kardashian West, to gain Bitcoin. Three people, including a Florida teenager whom authorities have called the “mastermind,” have been arrested and charged with the breach.
Twitter is not the only social media company to fall under F.T.C. scrutiny for using information that people had provided for security reasons for advertising.
Last year, the agency fined Facebook $5 billion to settle several privacy violations, including the use of people’s phone numbers, which had been provided for security purposes, for its advertising business. Facebook agreed that it would no longer use telephone numbers obtained in the name of security for advertising.