WEBINAR
X (formerly Twitter) has suffered a catastrophic data breach, exposing the profile data of over 2.8 billion users.
The breach came to light Tuesday when cybersecurity researchers discovered a 34GB CSV file posted on BreachForums, a notorious hacking message board. The file was uploaded by a user going by “ThinkingOne,” who claims the data was stolen by a disgruntled former employee amid mass layoffs at the company.
According to analysts, the dataset combines two major leaks: fresh metadata from a 2025 breach and email addresses stolen in a 2023 incident—making it the biggest social media breach ever.
Here’s everything you need to know.
X data breach: Timeline of events
The roots of this breach trace back to January 2022, when Twitter first learned of a vulnerability through its bug bounty program. The flaw allowed attackers to extract user data simply by entering an email address or phone number. With no fix implemented, hackers exploited the vulnerability in July 2022, scraping and selling a large trove of user data. At the time, Twitter acknowledged the breach, confirming that bad actors had taken advantage of the loophole before it could be mitigated.
Now, that same stolen data appears to have resurfaced—merged with a separate breach from January 2025. This is thanks to “ThinkingOne”, a seemingly good actor who surfaced the data on BreachForums earlier this week, sharing a 34GB CSV file containing 201,186,753 data entries. They claim to have combined the previously stolen 2022 data with fresh user metadata from a 2025 breach.
Their motive? It seems that X has failed to acknowledge the breach, even though they tried to warn the company multiple types. In their post, ThinkingOne said:
“[I] tried contacting X via several methods with no response. There is no sign that X or the general public is aware of the largest social media breach ever.”
Cybersecurity analysts who reviewed the leak have confirmed that it includes:
- X usernames and user IDs
- Full names
- Locations
- Email addresses
- Follower counts
- Profile details
- Time zones
- Profile images
This kind of data is a goldmine for cybercriminals, making it easy to launch targeted phishing scams, identity theft, and financial fraud.
How did the X breach happen?
In conversations with the media, ThinkingOne describes himself as a ‘data enthusiast’ rather than a hacker. He is adamant that the breach resulted from an insider threat and that X has done little—if anything—to investigate or contain the fallout.
“The real story (to me, at least) is that 2.8 billion records were exfiltrated from Twitter/X. This is by far the largest social media breach ever,” he said.
“How could someone enumerate all Twitter user IDs, unless they were an employee or this was a very serious hacking job?”
Given the mass layoffs at X over the past year, a disgruntled insider stealing user data isn’t out of the question. But X should have had safeguards in place to prevent this from happening.
Tools like data security posture management (DSPM) monitor internal data access for suspicious activity—such as mass file downloads—but it’s unclear whether X had such protections in place.
Lessons learned
There are several key takeaways from this breach:
- Deploy DSPM to mitigate insider threats – DSPM tools like Polymer prevent both malicious and accidental insider threats by tracking user data access and actions. Suspicious activity is automatically flagged, blocked, and reported to security teams for immediate investigation.
- Prioritize vulnerability management – Leaving security flaws unpatched for months creates avoidable risks. Organizations must act swiftly to identify, patch, and monitor vulnerabilities before they can be exploited.
- Strengthen incident response – Failing to respond to breaches erodes trust and damages reputation. Companies must establish and regularly test their incident response procedures to ensure they can act decisively when a security crisis hits.
Discover how PolymerHQ mitigates insider risks. Request a demo now.
