Update, April 1, 2025: This story, originally published March 31, has been updated with information from a conversation with ThinkingOne, who released the latest X data, as well as more details concerning the original 2022 data leak the X response.
Elon Musk’s social media platform, X, is no stranger to the news. What with the reported purchase of X by xAI for $33 billion, attackers claiming responsibility for platform outages, and X password scams targeting users. Now, another shock awaits the users of what used to be Twitter: a self-proclaimed data enthusiast has just given away what is claimed to be a database containing details of some 200 million X user records. Here’s what we know so far.
Attackers Exploited X Vulnerability To Grab User Information
The story started in January 2022, when Twitter, as it was then, learned of a vulnerability through its bug bounty program that could enable an attacker to access data relating to platform users just by knowing an email address or telephone number. By July of that year, Twitter found that someone had exploited the vulnerability before it could be fixed and was selling a large amount of user data that had been collected in this way. “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter confirmed at the time.
Fast forward to today, and that incident would appear to have come back to bite X users once more. Now, a data enthusiast called ThinkingOne says they have accessed that data and added it to a further breach, which they claimed was leaked in January 2025.
According to a posting on a well-known data breach forum, they decided to give the data away for free, having tried to contact X but with no response.
According to the Safety Detectives cybersecurity team which broke the story, ThinkingOne claims to “only have included records of X users present in both datasets.” The result is a 34 GB CSV file containing 201,186,753 data entries in total.
It is understood that the data, which has been verified in part at least to be genuine by the Safety Detectives researchers, included: X screen name and user IDs, full names, locations, email addresses, follower counts, profile data, time zones, profile images and more.
In Conversation With ThinkingOne Who Released The Latest X Files
I have had an email conversation with ThinkingOne, who told me they don’t consider themselves a hacker but rather a data enthusiast who tries to ensure everything they do is legal.
The real story (to me, at least) is that 2.8 billion records were exfiltrated from Twitter/X,” ThinkingOne told me. “This is by far the largest social media breach ever, in terms of number of users, and there is at least a possibility that the person responsible for the breach has other data including emails, phone numbers and passwords,” ThinkingOne claimed.
The huge number of user records exceeds the normal figures thrown around of a few hundred million users because the latter is a monthly active users amount. The users who logged on during a given period, in other words.
“The dataset leaked in January, 2025 included over 2.8 billion unique Twitter IDs and screennames,” ThinkingOne told me, “I checked a representative sample of 100 and 92 had the correct user ID and screenname.’
All of which left ThinkingOne, well, thinking, “how could someone enumerate all Twitter user IDs, unless they were an employee or this was a very serious hacking job?”
This is a breaking story, and I will update it as more information becomes available. I have reached out to X for a statement.
What X Has Said About The Data Leaks
In January 2023, Twitter, now X, published a lengthy posting in response to the allegations that user data was being sold online. Beyond the usual, and frankly by now quite tedious to read “we take our responsibility to protect your privacy very seriously,” mantra, I mean, that should be understood as a baseline, right, X said it had conducted a thorough investigation and found no evidence that the data which had appeared in online marketplaces “was obtained by exploiting a vulnerability of X systems.”
However, that posting also confirmed that, in January 2022, it became apparent that if anyone “submitted an email address or phone number to X’s systems, X’s systems would tell the person what X account the submitted email addresses or phone number was associated with, if any.” This, apparently, was due to a coding error in a June 202 update.
“In November 2022,” X said, “some press reports published that X users’ data had been allegedly leaked online. As soon as we became aware of the news, X’s Incident Response Team compared the data in the new report to data reported by the media on 21 July 2022.” That comparison confirmed that the data was the same in both cases. In December 2022, further reports revealed someone claimed to have access to more than 400 million X-associated user emails and phone numbers, obtained by using the same vulnerability. Then, in January 2023, another attempt was made to sell data from 200 million X-associated accounts.
When it comes to the numbers, X said that:
5.4 million user accounts reported in November were found to be the same as those exposed in August 2022.
400 million instances of user data in the second alleged breach could not be correlated with the previously reported incident, nor with any new incident.
200 million dataset could not be correlated with the previously reported incident or any data originating from an exploitation of X systems.
X stated that none of the datasets analyzed contained passwords or information that could lead to passwords being compromised.
