Twitter is being investigated by the Federal Trade Commission for alleged privacy violations, another setback for a company that has struggled in recent years to protect private user data and account security.

The FTC is probing the company for using phone numbers uploaded for security purposes to target people with advertising – a potential violation of a 2011 consent decree in which Twitter agreed to better protect personal data, the company said Monday in a regulatory filing. The probe may lead to a “probable loss” of $150 million to $250 million, the San Francisco-based company said.

“The matter remains unresolved and there can be no assurance as to the timing or the terms of any final outcome,” Twitter said.

Twitter’s 2011 settlement with the FTC barred the company for 20 years from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information.” The agreement sprang from a 2009 hack of the social media platform that allowed intruders to send out phony messages from any account, among other issues. Under the settlement, the company also had to honor users’ privacy choices and faced fines of as much as $16,000 per violation of the order in the future, the FTC said at the time.

A spokeswoman for the FTC declined to comment.

Twitter’s shares fell about 1% in extended trading after closing at $36.39 in New York. The stock has gained 14% this year.

“Following the announcement of our Q2 financial results, we received a draft complaint from the FTC alleging violations of our 2011 consent order,” a Twitter spokesperson said. “Following standard accounting rules we included an estimated range for settlement.”


The FTC has been fining big tech platforms in recent years for data lapses, including the recent record $5 billion fine against Facebook and a settlement with Google’s YouTube over alleged collection of children’s data that included a $170 million fine.

Twitter confirmed in 2019 that it was using phone numbers provided to the company for security purposes to target those users with advertising. At the time, Twitter said those numbers were used “inadvertently,” and added that it did not know how many people were affected. The current complaint says the company violated the terms of the agreement by misusing phone numbers or emails “during periods between 2013 and 2019,” according to the filing.

It’s unknown whether Twitter will face a similar investigation for a high-profile incident last month in which hackers took control of the accounts of some of the service’s most famous users as part of a Bitcoin scam. That attackers gained access to 130 Twitter accounts, including those of former president Barack Obama, current Democratic presidential candidate Joe Biden and Tesla CEO Elon Musk. Hackers accessed the direct messages linked to 36 of those accounts, and downloaded the personal data from seven of them, Twitter said.

Twitter said a hacker gained access to the accounts in part by tricking some employees over the phone. Three people were charged last week in the attack.