According to Twitter, when advertisers uploaded their own marketing list of phone number and email addresses, Twitter's software matched that list to Twitter users based on the 2FA details (phone number and email addresses) provided to them exclusively for security purposes.
"We can not say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware", said Twitter.
"We're very sorry this happened and are taking steps to make sure we don't make a mistake like this again", said the company. They were provided to help protect users' accounts one way or another.
Meanwhile, Partner Audiences provides those same features to advertisers, but the lists are created by third parties.
It's the latest in a series of security lapses at Twitter in the past year. This had been a known security flaw for some time, but was only taken down after the account of Twitter CEO Jack Dorsey was compromised.
This security mishap was subsequently discovered by a research team after the phone numbers added to test accounts were actively being targeted by advertisers after just a couple of weeks.