The FTC is investigating Twitter because they used phone number data, originally given to the company for 2FA purposes, to target people with advertising.
Back in 2019, Twitter was discovered (and admitted) that they targeted users with ads using email addresses and phone numbers that users gave out to enable 2FA and MFA, in order to have stronger account security.
Twitter claimed it was done in error and claimed they would stop the practice.
However, Twitter was already under an FTC consent decree that mandated them to “better protect personal data,” a decision that stemmed from a hack Twitter suffered in 2009.
Because users were giving out this information in the name of privacy and security and then had that info shared and used for advertising purposes, Twitter may have violated the decree and has estimated they’d be fined $150M-$250M by the FTC as a result of the investigation.
What You Should Do
Keep using 2FA. While Twitter’s actions are a gross violation of privacy, users were still much better off enabling 2FA, even if the associated data would be used for targeting and advertising purposes (not that it makes what Twitter did okay).
However, if you’re really concerned about that data getting out, which is unlikely given that it’s led to an FTC investigation, you can use an authenticator app (like Authy) or a security key (like Yubikey), allowing you to enable and use 2FA on accounts without giving up any additional personal information.
For more details, visit Bloomberg.