X, the social network formerly known as Twitter, appears to have suffered a data breach. On BreachForums, the hub for compromised data, a hacker calling himself ThinkingOne claims to have obtained a repository of "400 GB of information" during January 2025.
The database reportedly includes the personal data of 2.87 billion X users. Among the data claimed by ThinkingOne are account creation dates, user IDs, screen names, profile descriptions, profile URLs, location settings, time zone settings, current display names, display names since 2021, number of followers from 2021 to 2025, total number of tweets, timestamp of last tweet, number of friends, number of appearances in lists, number of favorited tweets, as well as the source of the last tweet (e.g., TweetDeck, X Web App), and profile status (verified, protected, etc.).
Billions of these hacked X accounts likely belonged to bots, spammers, or people who deactivated or deleted their own accounts. Indeed, X only has 400 million active users worldwide, according to Statista. Regardless, the data provides a comprehensive overview of how Twitter account activity has evolved over the years. If the incident is proven, it could be one of the largest data breaches recorded by a social network, points out HackRead, which was the first media outlet to report the information.
Fired employee at source of the leak
The hacker claims that the data was likely exfiltrated by "a disgruntled employee" during the wave of layoffs ordered by Elon Musk three years earlier. After acquiring Twitter, the billionaire cut a large portion of the group's payroll in an effort to increase efficiency and reduce costs.
The hacker says he tried to contact X's management, but to no avail. Annoyed by the social network's lack of response, he decided to put the data online. On BreachForums, he explains that he has "seen no sign that X or the general public is aware of the biggest social media breach of all time (I initially tried to contact X via several methods without response)." He does not specify how he unearthed the database.
Data combined with another leak
He specifies that he combined the data with information disclosed in a previous leak, which occurred in January 2022, just a few months before Elon Musk's takeover. This one only affected 209 million users. At the time of this leak, X had downplayed the incident by emphasizing that it was only public data, likely collected by scraping software. This practice allows for the mass extraction of public data using dedicated computer programs. Later, Twitter revealed that the leak stemmed from a flaw in the "Let people with your phone number find you on Twitter" feature. The flaw allowed an attacker to link a phone number or email address to a Twitter account, endangering the anonymity of users, before being corrected by the group's teams.
For ThinkingOne, this file of "200 million is really irrelevant, the Twitter leak of 2.8 billion users is the real news". The hacker published several links to download the data of X users. In fact, he generated a 34 GB CSV file (9 GB compressed) containing 201 million merged entries. This document only includes users affected by both incidents. It includes the username (or pseudonym) and ID on X, the full name, location, email address, number of followers, profile information, time zone, and profile picture.
With email addresses and metadata combined, hackers can easily target X users with personalized scams. That's why ThinkingOne chose to cross-reference the data. This approach demonstrates the danger of compromised information.
A data enthusiast
In an interview with Forbes, the hacker, who describes himself as a "data geek", points out that this could well be "the largest social media breach of all time, in terms of user numbers, and it's at least possible that the person responsible for the breach has other data, including emails, phone numbers, and passwords.".
Researchers at Safety Detectives were able to verify the authenticity of much of the directory data. The experts explain that they "examined the information corresponding to 100 users on the list, and we found that it matched what was posted on Twitter", and that they "verified a considerable number of emails, which turned out to be valid email addresses". However, X has not yet publicly responded to the hacker's claims.
Source: HackRead
0 Comments