More than 5.4 million Twitter user records containing data stolen via an API vulnerability fixed in January have been leaked for free on a cybercriminal forum. Furthermore, it appears that there may be another, even larger data damp, containing about 17 million Twitter user’s records obtained via the same vulnerability, according to tech news site BleepingComputer.

In July, reports emerged that the private information of over 5.4 million Twitter users was put up for sale on a hacking forum for a price of $30,000. The database contained both public information like Twitter IDs, names, login names, locations, and verified status, and the private data, such as phone numbers and email addresses.

In addition to the 5.4 million records for sale, there were also an additional 1.4 million Twitter profiles for suspended users collected using a different API, bringing the total to almost 7 million Twitter profiles containing private information, BleepingComputer reports.

Starting September, the same 5.4 million Twitter records were observed being shared for free on a hacking forum.

As for the new, previously unknown data dump, disclosed by a security researcher, it allegedly contains information of tens of millions Twitter users in the US and EU, including personal phone numbers, as well as public information.

Twitter has yet to comment on this alleged breach.