The company said Tuesday that it "inadvertently" used the emails and phone numbers to let advertisers match people to their own marketing lists.
"We can not say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware", the company said in a short statement posted on its website.
Advertisers send ads to users using personal information like phone numbers and email addresses.
Social media companies, including Twitter and Facebook, have regularly faced heat from users and regulators globally on how they handle user data.More news: Alexandria men wanted in killing of witness at Amber Guyger's trial
Twitter is only supposed to use phone numbers for two-factor authentication, but it appears to have been unintentionally used for more.
Your email address or phone number - whichever you used for two-factor authentication or security purposes.
Adding to Twitter's potential troubles, the company finalized an agreement with the FTC in 2011 that alleged the company failed to protect users from security threats.
Twitter does not know how many of its users were impacted by this.
"We can not say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware".More news: Former US President Carter falls, requires stitches
The company apologized for this error and says that it's taking measures to make sure that a similar mistake will not happen again.
Earlier this year, Facebook was handed a $5bn fine by the USA government for playing fast and loose with the personal information of its customers.
Twitter has revealed a number of additional data-security incidents this year.
Meanwhile, Partner Audiences provides those same features to advertisers, but the lists are created by third parties. With 2FA, hackers can't take over an account unless they have access to the user's phone number, raising the difficulty level for attackers.More news: Our bowlers pretty good at reverse swing: Arun