Regulators in Ireland are digging into Twitter’s potential data leaks that hackers claim exposed millions of people’s personal information online.
Ireland’s Data Protection Commission began an investigation this month in response to news reports that datasets of Twitter users’ information had become available on the internet.
“These datasets were reported to contain personal data relating to approximately 5.4 million Twitter users worldwide,” the commission said in a statement. “The datasets were reported to map Twitter IDs to email addresses and/or telephone numbers of the associated data subjects.”
The number of accounts potentially included in the datasets subsequently ballooned, as the cybercrime intelligence firm Hudson Rock said it spotted a credible threat actor selling a database with 400 million Twitter users’ data.
The firm said on Twitter that it had not confirmed the exact number of users apparently exposed by the threat actor named Ryushi that tried to sell the data.
Ireland’s Data Protection Commission is also investigating the larger potential leak, it told the BBC this week.
Ryushi told the tech publication Bleeping Computer that it wanted to sell the Twitter data to a single person or the social media company itself for $200,000 and would then delete the data.
The vulnerability leveraged by Ryushi was fixed by Twitter in January, according to Bleeping Computer.
Alongside Ireland‘s privacy regulator, U.S. regulators may also take an interest in Twitter’s business. In May, the Federal Trade Commission and the Department of Justice ordered Twitter to pay $150 million in civil penalties over alleged data privacy violations.
The Justice Department said at the time Twitter collected people’s phone numbers and email addresses purportedly for security purposes but later utilized that information for companies to send targeted ads to users.
The FTC declined to comment, and Twitter did not immediately respond to a request for comment Friday.