Hacker leaks millions of X records

The hacker allegedly combined data from a 2022 breach with data from a 2025 breach. 

What happened

On March 30th, 2025, SafetyDetectives’ Cybersecurity Team found a web forum post, with a threat actor publishing a file that allegedly contained millions of records from X, formerly Twitter, users.

The data was found on the publicly accessible website, Breach Forums. Threat actor “ThinkingOne” posted the data and is allegedly a former employee who was laid off recently. According to SafetyDetectives, the post included a 34-gigabyte .CSV file that contained 201,186,753 entries of data allegedly belonging to X users. The .CSV file contained headers hinting at what data may be involved. It included headings like ID, screen_name, name, location, description, URL, email, time zone, language, followers_count, and more. 

SafetyDetectives’ reviewed a sample of 100 users to check for authenticity and found that data on the forum matched individual profiles on X. 

Going deeper

According to Forbes, the leaked data is connected to a January 2022 data breach. At the time, Twitter was facing a vulnerability through a bug bounty program, which allowed attackers to access platform data by knowing a user’s email address or telephone number. Twitter discovered the vulnerability in July 2022, but by then, an attacker was already attempting to sell stolen data. At the time, Twitter released a statement saying, “After reviewing a sample of the available data for sale, we confirmed that a bad actor had taken advantage of the issue before it was addressed.” 

Now, ThinkingOne claims to have accessed that data. The bad actor also claims to have stolen or accessed data in January 2025. In their post, ThinkingOne claimed to have attempted to contact X, but with no response, decided to post the data for free. 

The bottom line

While most of the data included in the leak is publicly available, it could still put individuals at risk of phishing or social engineering scams. Individuals with X accounts should monitor the incident while we await a response from X. 

Related: HIPAA Compliant Email: The Definitive Guide. 

FAQs

What will happen next? 

X will likely investigate the validity of the claims before acknowledging if a breach has occurred. If X verifies the breach, they will likely post a statement and evaluate their current cybersecurity policies, especially with employees. 

Why do hackers give away data for free? 

While hackers will usually try to make money from their attacks, they may have other motives. Some hackers simply release data for free if attempts to get a ransom payment are unsuccessful. Other hackers may have a personal vendetta or motive for releasing data.