The Irish Data Protection Commission (DPC) is investigating whether Twitter violated the European Union’s General Data Protection Regulation (GDPR) regarding a data breach alleged to have affected 5.4 million users.

The probe, announced Dec. 23, follows an exchange between the regulator and social media giant in relation to a security vulnerability disclosed by Twitter in August. The extent of apparent harm done amplified in November when media reports highlighted the posting of the user details for free on hacker forums.

The breached details reportedly included private information, such as phone numbers and email addresses.

“The DPC, having considered the information provided by [Twitter] regarding this matter to date, is of the opinion that one or more provisions of the GDPR and/or the [Data Protection Act 2018] may have been, and/or are being, infringed in relation to Twitter users’ personal data,” the regulator said in a press release.

The Irish DPC last month levied a fine of 265 million euros (then-U.S. $274 million) against Meta Platforms for a security vulnerability affecting more than 500 million Facebook users. The regulator has also previously disciplined Twitter, ordering the company to pay €450,000 (then-U.S. $547,000) in December 2020 for failing to timely report a 2018 data breach.

While Twitter has received additional scrutiny from regulators since mass layoffs and resignations following Elon Musk’s purchase of the company in October, the security vulnerability the Irish DPC is investigating dates as far back as June 2021, the company acknowledged in its August disclosure. Twitter said it fixed the issue after being made aware of it in January.

In August, a former cybersecurity executive at Twitter blew the whistle on his observations of systemic data security lapses at the company, saying he was fired after raising concerns internally with management earlier this year.

Twitter could not be reached for further comment.