Twitter (X) Hit by Data Leak of 2.8 Billion Users; Allegedly an Insider Job

A data leak involving a whopping 2.87 billion Twitter (X) users has surfaced on the infamous Breach Forums. According to a post by a user named ThinkingOne, the leak is the result of a disgruntled X employee who allegedly stole the data during a period of mass layoffs. If true, this would be the largest social media data breach in history, but surprisingly, neither X nor the broader public appears to be aware of it.

What We Know About the Breach

The original post by ThinkingOne states that the data, around 400GB worth, was likely exfiltrated during messy layoffs at X. The poster claims that they tried contacting X through multiple methods but received no response.

Frustrated with the lack of acknowledgment from X and the general public, they took matters into their own hands and decided to merge the newly leaked data with another infamous breach from January 2023.

Screenshot from Breach Forums shows what ThinkingOne has posted about the alleged breach (Credit: Waqas/Hackread.com)

The 2023 Breach Recap

To understand the full scope of what was leaked, looking at the 2023 X data breach that affected around 209 million users is important. That breach exposed:

Email addresses Display names and usernames (handles) Followers count and account creation dates

At the time, X downplayed the leak, stating that it consisted of publicly available data. Despite the massive exposure of email addresses, they insisted that no sensitive or private information was involved. However, security experts warned that the combination of emails and public data could enable phishing and identity theft on a large scale.

What’s Inside the Alleged 2025 Breach?

The 2025 breach, however, is a completely different beast. Unlike the 2023 leak, it doesn’t contain email addresses, but it does hold a goldmine of profile metadata, including:

Account creation dates. User IDs and screen names. Profile descriptions and URLs. Location and time zone settings. Display names (current and from 2021). Followers count from both 2021 and 2025. Tweet count and timestamps of the last tweet. Friends count, listed count, and favorites count. Source of the last tweet (such as TweetDeck or X Web App). Status settings (like whether the profile is verified or protected).

The data gives a detailed snapshot of users’ profiles and activity over time, including bios, follower counts from different years, tweet history, and even the app used for the last tweet. But the one thing it doesn’t include is the most sensitive bit: email addresses.

The Data Mashup

ThinkingOne, a well-known figure on Breach Forums for their skill in analyzing data leaks, decided to combine the 2025 leak with the 2023 one, producing a single 34GB CSV file (9GB compressed) containing 201 million merged entries. To be clear, the merged data only includes users that appeared in both breaches, creating a confusion of public and semi-public data.

This messy combination led many to believe that the 2025 leak also contained email addresses, but that’s not the case. The emails shown in the merged file are from the 2023 breach. The presence of emails in the merged dataset has given the wrong impression that the contents of the 2025 leak also include email addresses.

Who Is ThinkingOne, and How Did They Get the Data?

One of the biggest mysteries is how ThinkingOne managed to obtain the 2025 breach data in the first place. Unlike typical hackers, they are not known for breaching systems themselves but are highly regarded for analyzing and interpreting leaked datasets. Whether they received the data from another source or conducted some sophisticated data aggregation is still unclear.

Their theory that a disgruntled employee leaked the data during the layoffs remains unconfirmed, and there’s no concrete evidence to support it; it is only a plausible hypothesis given the timing and internal mess at X.

Why the Silence from X?

If the claims are true, this is not just a massive breach in size but also a blow to user privacy and corporate security practices. Yet, X remains silent, and the general public remains largely unaware.

Whether it’s due to a lack of awareness on their part or an intentional attempt to downplay the incident, the absence of any official response raises serious questions about corporate transparency and accountability.

Despite the large scale of the alleged breach, the lack of public acknowledgment from X is worrisome. Whether this was an inside job or not, users are left with more questions than answers: How much of their data has been compromised? Who was behind the leak? And why hasn’t X issued any statements about it?