Ireland’s privacy regulator today announced that it will examine a recently disclosed data breach that may affect more than 400 million Twitter Inc. users.

The Data Protection Commission, or DPC, is already investigating the company over a previous breach. The latter incident, which took place in November, involved hackers leaking information belonging to 5.4 million Twitter users. 

Earlier this week, reports emerged that the data of more than 400 million Twitter users had been put up for sale on a hacker forum. The compromised data is said to include the affected users’ names, phone numbers, usernames, follower counts and account creation dates. The hacker behind the breach demanded $200,000 to hand over the information and delete it.  

The hacker also publicly released the data of more than 1,000 users. The users reportedly include politicians, celebrities and other public figures.

The data was reportedly stolen using a flaw in one of Twitter’s application programming interfaces. The flaw was introduced into the API through a faulty software released in 2021. It enabled hackers to learn the phone numbers and email addresses associated with specific Twitter accounts.

Earlier this year, the flaw was used to steal information belonging to 5.4 million Twitter users. Ireland’s Data Protection Commission recently launched a probe into Twitter’s response to the incident. The DPC indicated today that it will expand the scope of the inquiry to include the latest data breach disclosed this week. 

“Reports have claimed that some additional datasets have now been offered for sale on the dark web,” the regulator said in a statement to the BBC. “The DPC has engaged with Twitter in this inquiry and will examine Twitter’s compliance with data-protection law in relation to that security issue.”

The DPC earlier sought information from Twitter about the potential impact of the company’s recent layoffs on its ability to meet privacy obligations. The layoffs affected more than half of Twitter’s workforce, including members of its policy, safety and privacy teams. The DPC stated late last month that “so far we’re getting answers to our questions.”

The DPC is responsible for supervising Twitter’s privacy practices because the company’s European Union head office is located in Ireland. For the same reason, the regulator also oversees many other major tech firms that maintain their EU offices in Ireland. The group includes Meta Platforms Inc., which has received two fines totaling €625 million from the DPC over the past year for failing to comply with the EU’s GDPR privacy law.

Photo: Unsplash