A massive data leak of 2.87 billion X/Twitter profiles, more than four times the site’s current active monthly user estimate and likely including most going back to the creation of Twitter, may have been the work of a disgruntled former employee laid off during Musk’s takeover of the company.
The poster, who goes by the user name “ThinkingOne” on leading underground hacking site Breach Forums, does not claim to have been involved with the breach but claims that the leak was “almost certainly” the work of an insider upset about being let go from the company during the mass layoffs that Musk instituted as he purchased Twitter. While this is still merely a theory and unconfirmed, it is at least plausible given information from prior Twitter breaches demonstrating that employees had wide-ranging access to user personal information.
Massive X/Twitter data leak has gone under the radar
ThinkingOne refers to a January 2025 data leak that has thus far not drawn much media attention, and has yet to draw any official comment from the company. They posted the data themselves to Breach Forums, consisting of a single 34 GB CSV file. In an interview with Forbes, the self-styled “data enthusiast” claims that they merged a more recent leak with an older breach from 2023 to create the file and that they did so as a public warning rather than a for-profit or activism attempt.
ThinkingOne’s file contains profile metadata that would generally not be available to the public such a more specific account creation date than the one usually listed in public-facing profiles, location and time zone settings, and the method used to post the most recent tweet (such as a web browser or the X mobile app version).
Adding to the general confusion is the fact that this new data leak was merged with the information from the prior 2023 data scraping breach by a different threat actor, which contained different information including account email addresses. X has previously acknowledged that leak but claimed that it contained nothing but information that is already publicly available, though the presence of email addresses tied to accounts would seem to contradict that.
In addition to verification by third parties of the samples posted, the credibility of the new 2025 data leak is supported by ThinkingOne’s general reputation on the platform. The user has a history on Breach Forums of analyzing leaked data sets and finding markers of authenticity and likely sources, rather than participating in hacking or leaking themselves. The user has also previously proactively contacted breach victims to warn them of developing situations in the criminal underground, and says that they have attempted to reach out to X several times about this new data leak with no response as of yet.
What is less clear is the evidence for it being a disgruntled former employee, other than the obvious motivation of revenge for losing their job. The 2023 data scraping incident was similarly from an unclear source, with security researchers determining that the data had come from 2021 and prior. With this incident it is similarly unclear why they would sit on stolen data for nearly two years and then dump it, if an insider is indeed the culprit. ThinkingOne claims that it was likely sourced from an employee given that all of the Twitter IDs were enumerated, something that a data scraper or hacker would be unlikely to have the means or motivation to do.
Some security researchers have claimed that ThinkingOne made use of a recent data leak posted by another Breach Forums user calling themselves “ebiuprsy” to add the new supplemental metadata information.
Randolph Barr, CISO at Cequence, adds some insights as regards verification of the data leak: “The data has not been validated in terms of its true availability, as it may be necessary to purchase the entire list to confirm its accuracy, or only a portion might be accessible. Additionally, it has not been validated whether the data relates to layoffs or occurred during that time, nor has it been confirmed if an insider was involved. Assuming an insider was responsible, this situation highlights the importance of automating depression in asset access, including laptops, as well as the ongoing need to monitor data loss prevention systems to track where sensitive data is stored. Data governance is a challenging program to implement for managing sensitive data, but it is crucial for security. The future of technical controls is evolving, with a growing emphasis on behavioral analytics to detect negative events and identify them sooner. Automated access reviews, powered by the latest technology, are improving the process of determining whether users or service accounts still require access. Lastly, for investigative purposes, it is essential to retain boots for use in any investigations.”
Insider threat theory remains unconfirmed
The source of the data leak will likely remain a matter of mystery until X weighs in (if it ever does), but there is circumstantial evidence both in favor of and against it.
Prior breaches have revealed that a substantial amount of Twitter employees have had the means or opportunity to access this sort of information. Primarily, the 2020 Twitter breach that saw about 130 high-profile accounts hijacked and used to promote crypto scams. That breach was perpetrated by a group of teenagers that social engineered their way into lower-level Twitter employee accounts, which were then used to access higher-level accounts with broad administrative access allowing them to directly access and make changes to personal information and account details of anyone using the platform. Any insider that found their way to that same administrative tool could have easily obtained the sort of information found in the data leak.
The argument against an insider being behind the data leak, articulated by the Cybernews researchers that questioned ThinkingOne’s story, is that employees likely had access to much more sensitive information than what was made available. If they were truly looking to damage the company, why not leak direct messages or IP logs among other sensitive items?
Andrew Costis, Engineering Manager of the Adversary Research Team at AttackIQ, notes that though the breach does not contain particularly sensitive information it may be prudent for X users to take security precautions: “This case serves to further highlight the need for organizations to implement effective breach detection and prevention security measures. Insider threats are dangerous because they’re often overlooked and are harder to detect than traditional threats. Proactive testing and validation of security controls is imperative to protect your customer data, particularly data loss prevention policies. Additionally, users impacted by the X breach can take actions to protect their information further. Enabling multi-factor authentication should be the first step to add an extra layer of security to accounts.”
Renuka Nadkarni, CPO at Aryaka, additionally notes: “The human element remains the most challenging aspect of the attack vector. Most organizations I’ve spoken with still struggle with fundamental access control issues around their intellectual property and assets. Employees, depending on their roles, have access to a mix of legacy applications, SaaS platforms, and cloud-hosted solutions, creating a fragmented security landscape. While security teams establish foundational safeguards, individual application owners manage more granular controls. Next-gen firewalls, CASB, SSE, and identity broker solutions can only secure and monitor traffic that passes through them, but real-world network paths and security layers create gaps, making comprehensive security enforcement nearly impossible. Organizations must ensure network paths are streamlined through security enforcement control points.”
