Revisiting the X Data Breach: A Conversation with ThinkingOne, the Whistleblower Behind the 200 Million User Leak

Key Takeaways

• Data Leak Scope: Over 200 million X user records were exposed in a breach, including email addresses, screen names, user IDs, and profile images. The breach was part of a larger security issue, linking it to a 2.8 billion record dataset.
• Cross-Referencing the Leaks: ThinkingOne used screen names to cross-reference the 200 million records with the 2.8 billion dataset, confirming the leaks were connected.
• Insider Job Theory: ThinkingOne suggested that the breach could be tied to insider access, especially given the timing around X's layoffs, though he emphasized there’s no direct evidence.
• Public Data Release: ThinkingOne exposed the breach after failing to receive a response from X despite multiple attempts to report the breach. He felt the data was already circulating and that the harm from withholding it would outweigh releasing it.
• X’s Lack of Response: Despite multiple outreach attempts, X has not responded to ThinkingOne’s communications, which raised concerns about the company’s handling of the breach and its security practices.

Deep Dive
In the vast and sprawling world of the digital frontier, where our lives are lived in bits and bytes, we often forget how much of our personal data is at risk, until something shatters that illusion of safety. In the early months of 2025, that illusion was pierced yet again when a massive data breach at X (formerly Twitter) exposed over 200 million user records. Names, email addresses, screen names, user IDs, and profile images, fragments of millions of lives, were laid bare for anyone to see.

However, this leak turned out to be just one part of a much larger issue. As the story unfolded, a researcher known as "ThinkingOne" came forward, revealing that this breach was linked to an even more extensive dataset, 2.8 billion records associated with X/Twitter. His involvement raised unsettling questions about how the data was accessed, why he chose to release it, and what it all meant for the future of digital privacy.

In this follow-up to the GRC Report's previous article, I explore ThinkingOne's insights into the breach, digging into the methods he used to link two major breaches, the theory of an insider at X, and the moral calculus behind his decision to expose the data. His answers offer both interesting and uncomfortable, forcing us to confront not just the vulnerability of one company, but the vulnerabilities of the entire digital ecosystem we depend on everyday.

Cross-Referencing Data from Two Major Leaks
The connection between the 200M and 2.8B breaches didn’t happen by accident. ThinkingOne, the researcher behind the discovery, used a methodical approach to link the two datasets. By cross-referencing screen names, he was able to identify users that appeared in both breaches, which revealed a much larger scale of the breach than initially realized. However, ThinkingOne also clarified that the original 200M breach and the 2.8B breach were unrelated incidents.

“I used the screen names to cross-reference the breaches,” ThinkingOne explained. “I loaded the 200M breach (collected in 2021, leaked in January 2023) into memory, and sorted the records by screen name. I then went through each record from the 2.8B breach (collected November 2022 and leaked January 2025), and checked to see if the screen name matched one I had loaded into memory from the 200M breach. If so, I would print the data from both breaches.”

He continued to explain that the 200M breach was collected in 2021 by using a bug in the Twitter API. This bug allowed the researcher to test email addresses found in other data breaches to see if they were linked to Twitter accounts. The bug in the API returned the screen names associated with the email addresses. ThinkingOne further clarified that the 2.8B breach, though not fully understood, likely included every Twitter screen names as of mid-November 2022.

“Nearly all of the screen names from the 200M breach also appear in the 2.8B breach simply because the 2.8B breach appears to have included every Twitter screen name,” he said.

As he analyzed the data, another possibility that the breach have been the result of insider access began to take shape.

“As far as the insider job theory, I do not have any actual evidence,” ThinkingOne clarified. “It is based on: [1] the time the 2.8B records were collected (November 2, 2022 through November 14, 2022, with November 2 being the day that Bloomberg broke the news that half of employees would be asked to leave 2 days later), [2] the time they were leaked (January 23, 2025, just days after the inauguration... a few days before federal employees received a ‘Fork in the Road’ email just like Twitter employees had), and [3] Nobody has come up with an explanation of how this could have been done by someone other than an employee or advanced hacker.”

ThinkingOne also noted that the limitations of X’s API made it unlikely that an external attacker could have gained access to such a massive dataset without inside access.

“The API had significant restrictions on scraping, so it’s more plausible that an insider could have accessed the data without raising alarms,” he said. “It seems like there was internal knowledge about how to bypass these restrictions.”

Why Release the Data? ThinkingOne’s Motivation

While ThinkingOne grappled with the legal and ethical complexities surrounding the breach and releasing the dataset, he was faced with what he said was X’s complete lack of response to his multiple attempts to notify the company. Despite reaching out on several occasions, he received no acknowledgment from X, which only compounded the severity of the situation.

“I first reported the breach on January 24 (to someone outside of Twitter/X, I'd rather not go into more detail),” ThinkingOne said. “I assumed the breach would have made the news. On March 16, 2025, I filled out X's contact form online, and separately emailed ‘[email protected]’ the same day. On March 27, I tried emailing [email protected] (which bounced).”

Frustrated with the lack of response, ThinkingOne decided to release the data.

“I believed the damage from releasing this data should be minimal,” he stated. “Since the main value to hackers was the email-to-screen name link, which came out in 2023, and that data was already deemed public by Twitter.”

As he moved forward with releasing the data, he was acutely aware of the potential legal implications. Given the sensitive nature of breach data, he took steps to help ensure his actions remained within legal boundaries.

“I am familiar with U.S. hacking laws (which only apply if you connect to other computers without authorization),” he explained. “To my knowledge, nobody has been convicted for freely distributing data from breaches. And Twitter considered the data from the 2023 200M breach to be public data, and the 2.8B breach appears to be public data.”

ThinkingOne also noted that he believed the release of the data was ethically justified, especially since it primarily contained information already circulating in the 2023 breach.

“The damage if 2.8 billion emails/phones/IPs/passwords were taken would dwarf anything I released,” he added.

On top of that, he also clarified that he did not believe that the data released would offer much value to hackers, as much of the information had already been exposed in earlier leaks.

“I feel that hackers are going to do very little with what I released,” he said. “The 2.8B breach got almost no reaction from hackers on Breach Forums (since most of it is easy to obtain if you have the screen name of an X user). The data was already out there, although perhaps less convenient. The email-screen name link is where the problem is, and that data was out in 2023.”

He emphasized that his actions didn’t give hackers new opportunities for exploitation but rather made previously exposed information more accessible.

The Fallout from the Breach

X's failure to address and even acknowledge ThinkingOne’s repeated attempts raised serious concerns about their commitment to protecting user data and responding to major security incidents. This apparent inaction not only compounded the urgency of the situation for ThinkingOne but also highlighted potential larger systemic weaknesses within the company, particularly in its ability to respond to threats in a timely and responsible manner.

“As far as I know, X has not responded to me or attempted to contact me in any way,” he said. “I have not seen any indication that they have responded in any way (publicly or privately) or are even aware of the breach.”

He further clarified that he believed 100% of the 2.8 billion accounts were real, with minimal duplicates.

“In the sample I tested, 94% were valid screen name+ID combinations,” he noted. This means that the breach was far more serious than initially reported, if it did indeed include real user data, not just outdated, inactive accounts or bots. However, it is worth noting that many estimate the amount of X users to be between 500-650 million users.

The breach at X is yet another reminder, in a growing list of reminders, of the vulnerabilities in major social media platforms. The exposure of 200 million records, combined with the potential scale of the 2.8 billion breach, highlights the need for better security and transparency. For users, this incident raises serious concerns about the protection of their personal data. The potential increased risk of phishing and social engineering scams further underscores the urgency of addressing these vulnerabilities.

As ThinkingOne’s story illustrates, the company’s response to the reported breach (or potential lack thereof) raises further questions about X’s ability to protect its users. Without concrete action, the damage from this breach could possibly extend far beyond the initial exposure.

For now, X users should remain vigilant, change passwords regularly, and be cautious about unsolicited messages. Moving forward, X and other platforms must do more to protect user data, rebuild trust, and ensure that security is a priority.‍

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.