A new data leak claims that a former Twitter employee “very likely” published private profile metadata to a hacking forum in retribution for being let go when Musk took over the company, though the circumstances are far from confirmed and many questions remain.
The data leak comes from a Breach Forums user going by the handle “ThinkingOne,” who says that they combined the new profile data (said to have appeared in January 2025) with a prior breach from 2023 that was caused by API abuse. They say that this file now contains information on 2.87 billion profiles from the platform, but that they merely combined existing information that they found in an attempt to draw X’s attention to the incident.
Speculation that Twitter had an insider threat, but no confirmation yet
Previous breaches of Twitter have demonstrated that employees have had far-reaching access to profile and direct message information, so the claim is at least plausible in that sense. For example, an administrative tool that essentially gave unfettered access to accounts was famously used to take over celebrity profiles and promote crypto scams in 2020.
That tool provided access to highly sensitive contact information and private messages, however, neither of which have appeared in the 2025 or 2023 data leaks. The January 2025 information contains profile metadata such as user locations and time zones, and what web browser or app version they are using to post messages. Email addresses in the file that ThinkingOne posted appear to belong to the prior 2023 data leak and had already been made public.
Most of this information comes from ThinkingOne’s posts on Breach Forums and an interview they gave to Forbes, in which they said they are not personally involved with the data leak other than combining it with old information. They claimed that this was spurred by repeated attempts to contact X about the breach, which were met with no response. X has acknowledged the prior 2023 breach, which involved scraping of user profile data via API access, but has claimed that it did not contain any non-public information.
Origin of data leak remains unclear
ThinkingOne has a prior history of analyzing data leaks on Breach Forums, and is not known to participate in them. So there is reason to believe that everything is credible, to include third-party verification of samples of stolen data posted. But the idea of an insider leaking the data does not yet appear to have strong and direct supporting evidence.
The hacker’s central contention appears to be that since the Twitter IDs were enumerated in the data leak, something that would be a substantial amount of extra work for an attacker to do, a dump by an employee would be the most likely explanation. But there are questions as to why an employee laid off in 2023 would wait so long to dump the data, and why they did not or would not leak more sensitive information if their interest was in damaging the company.
Follow-up by security researchers with Cybernews claims that the first person to post the new X data was a Breach Forums user with the handle “ebiuprsy” and that this is where ThinkingOne got the new data from. There is little information available as of yet about this user.
Many questions remain about the data leak: if it was in fact the work of a former employee, if it was a matter of revenge for Musk’s sweeping layoffs, and if the entirety of the new information is in fact new and accurate. X users may not have had much more exposed than was already included in the prior 2023 leak, but may consider using the platform’s two-factor authentication which allows for the addition of a code or the use of a physical security key.
