If you’ve used Twitter on your Android phone anytime since 2014, you might want to double-check your settings. Twitter disclosed on its Help Center page today that some Android users had their private tweets revealed for years due to a security flaw. The issue caused the Twitter for Android app to disable the “Protect your Tweets” setting for some Android users who made changes to their account settings, such as changing the email address associated with their account, between November 3rd, 2014 and January 14th, 2019.

Though the company says the issue was fixed earlier this week and that iOS or web users weren’t affected, it doesn’t yet know how many Android accounts were affected. Twitter says it’s reached out to affected users and turned the setting back on for them, but it still recommends that users review their privacy settings to make sure it reflects their desired preferences.

Twitter, which had already been under EU investigation for its data-collection issues under the new General Data Protection Regulation (GDPR) rules, is now facing a new privacy investigation for the protected tweets security flaw by the Irish Data Protection Commission (DPC), according to Bloomberg. Failure to improve its privacy practices would cost the company a hefty EU privacy fine, which, under GDPR, would be 4 percent of the company’s annual revenue.

DPC head of communications Graham X. Doyle told Bloomberg, “The DPC opened a statutory inquiry in late 2018 into Twitter’s obligation under the General Data Protection Regulation (GDPR) to implement technical and organisational measures to ensure the security and safeguarding of the personal data it processes following the receipt of a number of breach notifications from the company since May 25, 2018. This inquiry is ongoing.”