Twitter could be facing a fine of up to $250m (£190m) for misusing users’ personal information.
The social media giant confirmed it was under investigation by the US Federal Trade Commission (FTC) for “inadvertently” misusing people’s data.
The company said last year that phone numbers and email addresses provided for security were actually used for advertising purposes between 2013 and 2019.
According to a draft complaint from the FTC, Twitter violated a promise not to mislead users about the security of their data by allowing it to be used by advertisers for targeted marketing.
In a filing to the Securities and Exchange Commission in the US, Twitter says the issue could cost the company between $150m (£115m) and $250m (£190m) to resolve, and it has set aside $150m (£115m) ahead of the potential penalty.
The large fine is a result of the FTC believing the social media company breached a previous agreement over past data breaches.
Twitter had agreed it would not “mislead consumers about the extent to which it protects the security, privacy, and confidentiality” of their data.
It follows a security incident at the company two weeks ago in which accounts belonging to celebrities including Barack Obama, Jeff Bezos and Kim Kardashian were hijacked by Bitcoin scammers.
Three people have now been charged over the incident, including a teenager from Bognor Regis.
The company said out of the 130 accounts targeted, 45 were used to send tweets.
Direct message inboxes of 36 users were accessed, while the Twitter data of seven users were downloaded.
According to the Department of Justice, the scam Bitcoin account received more than 400 transfers worth more than $117,000 (£90,000).