Social networking company Twitter disclosed in a regulatory filing Monday that it could face fines of up to $250 million by the Federal Trade Commission for misusing people’s personal information for advertising purposes.

In the filing, Twitter said it received a draft complaint from the FTC on July 28, alleging the company violated its 2011 consent order with the FTC and the FTC Act. The 2011 consent order resolved charges that Twitter “deceived consumers and put their privacy at risk by failing to safeguard their personal information,” according to the FTC. The complaint alleged “serious lapses in the company’s data security” allowed hackers to gain administrative control of Twitter on two occasions between January and May of 2009.

The FTC allegations relate to the company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019. In a blog post, Twitter said the email addresses and phone numbers “may have inadvertently been used for advertising purposes.”

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” Twitter stated in the blog post. “This was an error, and we apologize.”

In its regulatory filing, Twitter estimated the range of probable loss in this matter is $150 million-$250 million and that it has recorded an accrual of $150 million. “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” Twitter said.

The FTC investigation concerning violations of the 2011 consent order isn’t Twitter’s only concern. In July, it suffered a major cyber-attack when hackers gained access to the company’s internal computer dashboard, which hackers then used to hijack dozens of prominent Twitter accounts in an attempt to solicit Bitcoin.