The incident marks the latest security mishap for the social-networking company, but one that could carry with it some legal headaches. Federal regulators penalized Facebook earlier this year for a similar situation.
In a blog post, Twitter explained that users share email addresses and phone numbers with the company for safety and login verification purposes, such as two-factor authentication, which allows people to receive a one-time code that they input along with their password in order to access their account.
The trouble, however, stems from the fact that advertisers can upload their own contact lists to match their customers with Twitter's users. In doing so, Twitter said it "may have matched people on Twitter" to a marketer's list "based on the email or phone number the Twitter account holder provided for safety and security purposes."