Twitter on Monday said it was investigating unusual traffic that might be from state-sponsored hackers.

Twitter said in a blog that it discovered suspicious traffic to a customer-support forum while investigating a security bug that exposed data, including users’ phone country codes and details on locked accounts. It said the bug was fixed Nov. 16.

Twitter observed a large amount of traffic to the customer support site coming from individual internet IP addresses in China and Saudi Arabia.

“While we cannot confirm intent or attribution for certain, it is possible that some of these IP addresses may have ties to state-sponsored actors,” the blog said.

“We continue to err on the side of full transparency in this area and have updated law enforcement on our findings,” it said.

Separately, security software maker Trend Micro said in a blog earlier on Monday that attackers sent out two tweets in October in a bid to steal data from previously infected machines.

The hackers hid instructions in tweeted memes that secretly ordered infected devices to send information, including user names, screen images and other content, Trend Micro said.

Twitter declined to comment on the Trend Micro report.