Twitter recently released a shocking statement revealing that they have been sharing private information of users with advertisers.

In the statement posted on the Help Center of the company’s site, they admitted to matching customers to advertisers’ marketing lists using the email addresses and phone numbers they provided for security features like their Two-factor authentication process:

“We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes, specifically in our Tailored Audiences and Partner Audiences advertising system. “

According to Twitter, the Tailored Audiences feature allows advertisers to target ads to customers based on the advertiser’s own marketing lists (e.g., email addresses or phone numbers they have compiled). Partner Audiences then allows advertisers to use the Tailored Audiences feature to target ads to audiences provided by third-party partners.

This incident is a huge blow to the company amid increasing public frustration over the misuse of their personal data. It’s unclear if this is a breach of Europe’s newly-implemented General Data Protection Regulation (GDPR) or how European regulators will respond. However, in recent years, the EU has asserted itself as the world’s police for Big Tech and has issued massive fines on companies like Google for various missteps.