The Federal Trade Commission (FTC) has issued a $150 million fine against Twitter for misrepresenting its security and privacy practices.

The FTC, in cooperation with the Department of Justice (DoJ), says that Twitter has been using the email addresses and phone numbers it collects from users to enable two-factor authentication to serve targeted advertising.

In addition to the fine for the violation, Twitter has been given a list of do’s and don’ts: It’s prohibited from making a profit on data collected under the guise of security; it must allow users to use mobile authentication apps and security keys for multifactor authentication, which don’t require a user to provide their phone number;