The social media site said some email addresses or phone numbers provided to the site as part of safety and security procedures, such as two-factor authentication to log in, had been “inadvertently” used for advertising.
Twitter said it may have matched contact details gathered with those on marketing lists uploaded by advertisers, who can use a Twitter feature called Tailored Audiences to find customers and target them with adverts.
The firm said it had now solved the issue.
“This was an error and we apologise.
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware,” the social platform said.
“No personal data was ever shared externally with our partners or any other third parties.
“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.
“We’re very sorry this happened and are taking steps to make sure we don’t make a mistake like this again.”
Strict new data laws, the General Data Protection Regulation (GDPR), were introduced in the EU last year and include requirements for firms to be more transparent about data issues and report any breaches in a timely fashion to avoid potential penalties, including large fines.
The Irish Data Protection Commission, which is Twitter’s data supervisor in the EU, confirmed the social media site had contacted them over the incident and that the two were currently engaging on it.