Twitter reports that email address and phone numbers added for security reasons such as two-factor authorization "may have inadvertently been used for advertising purposes."
When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.
We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware. No personal data was ever shared externally with our partners or any other third parties.
User data that Twitter cannot sell ended up in an advertising product that lets Twitter monetize such data without revealing it directly to third parties. Inadvertantly.