A watchdog is looking into Twitter after a hacker claimed to have private information linked to over 400 million accounts.
The hacker, known as "Ryushi," is demanding $200,000 (£166,000) to hand over and delete the data, which is said to include some celebrities.
Ireland's Data Protection Commission (DPC) says it "will examine Twitter's compliance with data protection law in relation to that security issue".
Twitter has not responded to the claim.
The data is said to include phone numbers and emails, including those of celebrities and politicians, but the size of the alleged haul has not been confirmed. So far, only a small "sample" has been made public.
According to The Guardian, data from US Congresswoman Alexandria Ocasio-Cortez was included in the hacker's sample of data. The data of broadcaster Piers Morgan, whose Twitter account was recently hacked, is also said to be included.
So far, Twitter has not responded to press inquiries about the alleged breach.
Chief executive Elon Musk did not reply to a tweeted request for comment from leading cyber-security reporter Brian Krebs - though the breach, as Mr Krebs notes, probably occurred before the Tesla boss took over.
Cyber-crime intelligence company Hudson Rock says it was the first to raise the alarm about the data sale.
While acknowledging the amount of data taken had not been verified, the firm's chief technology officer, Alon Gal, told the BBC a number of clues appeared to support the hacker's claim.
The data did not appear to have been copied from an earlier breach in which details were published from 5.4 million Twitter accounts, Mr Gal said.
Only 60 emails were found out of the 1,000 provided by the hacker in the previous incident, "so we are confident that this breach is different and significantly larger," he said.
Mr Gal also mentioned: "The hacker intends to sell the database using an escrow service offered on a cybercrime forum. This is usually only done for genuine offerings."
An escrow service is a third party that agrees to release funds only when certain conditions are met (such as data transfer).
"Ryushi" has said that it exploited a problem with a system that lets computer programmes connect with Twitter to compile the data.
Twitter fixed the weakness in the system in 2022. But the flaw is also believed to have been used in the earlier breach affecting more than five million accounts.
The DPC announced it was investigating that earlier breach on 23 December.
As Twitter's European headquarters are based in Dublin, the commission is the lead authority supervising its compliance with EU data protection rules.
In a statement sent to the BBC about the latest incident, the DPC noted its continuing investigation into the earlier Twitter breach but added: "Reports have claimed that some additional datasets have now been offered for sale on the dark web.
"The DPC has engaged with Twitter in this inquiry and will examine Twitter's compliance with data protection law in relation to that security issue."
The hacker is aware of how damaging the loss of data can be for platforms.
In the online post offering to sell the data, it warns Twitter that buying back the data "exclusively" is its best chance of avoiding a large data-protection fine.
The DPC fined Meta 265 million euros ($276 million) in November after data scraped from more than 533 million Facebook users was leaked online.
According to the BBC, the UK Information Commissioner's Office (ICO) was aware of "media reports" about Twitter users' personal information being made available on the internet.
"We are engaged in dialogue with Twitter's data protection officer and will be making enquiries on this matter," it said.
It added that it would cooperate with the Data Protection Commission of Ireland.