200 Million X User Records Released — 2.8 Billion Twitter IDs Leaked

[Cpvr]

Elon Musk’s social media platform, X, is no stranger to the news. What with the reported purchase of X by xAIfor $33 billion, attackers claiming responsibility for platform outages, and X password scams targeting users. Now, another shock awaits the users of what used to be Twitter: a self-proclaimed data enthusiast has just given away what is claimed to be a database containing details of some 200 million X user records. Here’s what we know so far.

Attackers Exploited X Vulnerability To Grab User Information​

The story started in January 2022, when Twitter, as it was then, learned of a vulnerability through its bug bounty program that could enable an attacker to access data relating to platform users just by knowing an email address or telephone number. By July of that year, Twitter found that someone had exploited the vulnerability before it could be fixed and was selling a large amount of user data that had been collected in this way. “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed,” Twitter confirmed at the time.


Fast forward to today, and that incident would appear to have come back to bite X users once more. Now, a data enthusiast called ThinkingOne says they have accessed that data and added it to a further breach, which they claimed was leaked in January 2025.



According to a posting on a well-known data breach forum, they decided to give the data away for free, having tried to contact X but with no response.

According to the Safety Detectives cybersecurity teamwhich broke the story, ThinkingOne claims to “only have included records of X users present in both datasets.” The result is a 34 GB CSV file containing 201,186,753 data entries in total.

It is understood that the data, which has been verified in part at least to be genuine by the Safety Detectives researchers, included: X screen name and user IDs, full names, locations, email addresses, follower counts, profile data, time zones, profile images and more

In Conversation With ThinkingOne Who Released The Latest X Files​

I have had an email conversation with ThinkingOne, who told me they don’t consider themselves a hacker but rather a data enthusiast who tries to ensure everything they do is legal.

The real story (to me, at least) is that 2.8 billion records were exfiltrated from Twitter/X,” ThinkingOne told me. “This is by far the largest social media breach ever, in terms of number of users, and there is at least a possibility that the person responsible for the breach has other data including emails, phone numbers and passwords,” ThinkingOne claimed.

The huge number of user records exceeds the normal figures thrown around of a few hundred million users because the latter is a monthly active users amount. The users who logged on during a given period, in other words.

“The dataset leaked in January, 2025 included over 2.8 billion unique Twitter IDs and screennames,” ThinkingOne told me, “I checked a representative sample of 100 and 92 had the correct user ID and screenname.’

All of which left ThinkingOne, well, thinking, “how could someone enumerate all Twitter user IDs, unless they were an employee or this was a very serious hacking job?”

This is a breaking story, and I will update it as more information becomes available. I have reached out to X for a statement.

Source: https://www.forbes.com/sites/daveyw...ked-200-million-x-user-data-records-for-free/

 

[CTS]

Well, it seems the Doge teen geniuses haven't figured out how to secure their databases yet, and is even reflected in their online edits on federal websites. Musk is the one that draws the attention of the bad actors. X very much IS a dangerous place now for your identity to be secure. If not by the bad actors, or even Musk himself, have turned the place designated for "truth" to someplace where not only are you being manipulated but also your data security is under serious question.

I have no love lost. (I also will never log into X.) And they think a complete rewrite of the federal financial codes away from COBOL into "modern" software standards will be wonderful. Till all the federally protected personal data (including ss, taxes, and other proprietary info) ends up on a hacker website. We used to be reasonably protected. But we have to trust in the Doge teen geniuses who cant even protect their own silly little social platform.

 

[Ravenfreak]

Imagine that, hackers were able to hack Twitter and they've known for at least 2 years about how vulnerable the site was. While I do have a Twitter account for my old forum, Mighty No. 9, I don't have much to worry about. The email associated with that account was already on the "Have I been Pwned" list, and I don't use the same password everywhere so I'm good.