The Federal Trade Commission (FTC) and the Department of Justice say Twitter violated an agreement it had with regulators, court documents showed.
Twitter had vowed to not give personal information like phone numbers and email addresses to advertisers.
Federal investigators say the social media company broke those rules.
Twitter was fined £400,000 in December 2020 for breaking Europe's GDPR data privacy rules.
The FTC is an independent agency of the US government whose mission is the enforcement of anti-trust law and the promotion of consumer protection.
It accuses Twitter of breaching a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices.
Twitter generates most of its revenue from advertising on its platform, which allows users ranging from consumers to celebrities to corporations to post 280-character messages, or tweets.
According to a complaint filed by the Department of Justice on behalf of the FTC, Twitter in 2013 began asking users to provide either a phone number or email address to improve account security.
"As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes, but then ended up also using the data to target users with ads," said Lina Khan, who chairs the FTC.
"This practice affected more than 140 million Twitter users, while boosting Twitter's primary source of revenue."