X leaks data on 2.8 billion profiles in alleged insider job

400GB leaked, but no personal information

Elon Musk’s X (formerly Twitter) has suffered a massive data leak affecting nearly 3 billion profiles, with no official response from the company.

The leak, according to a post on Breach Forums, involves 2.87 billion profiles and is said to be the work of a disgruntled employee, who apparently stole the data during the period of mass layoffs after Elon Musk acquired the company in 2022.

According to BreachForums user ThinkingOne, the leak involves 400GB of information. Despite that, this data dump may actually be less damaging than the smaller one in January 2023.

The 2023 breach involved sensitive personal information on 200 million X accounts, including email addresses (X insisted the breach only involved publicly available data).

By contrast, although this latest breach is much wider in scope and scale, the information is largely metadata related to X profiles, aside from the location data. It includes:

  • Account creation dates.
  • User IDs and screen names.
  • Profile descriptions and URLs.
  • Location and time zone settings
  • Display names (current and from 2021).
  • Follower count from both 2021 and 2025.
  • Tweet count and timestamps of the last tweet.
  • Friends count, listed count and favourites count.
  • Source of the last tweet (such as TweetDeck or X Web App).
  • Status settings (for example, whether the profile is verified or protected).

ThinkingOne claims they tried to contact X about the breach but got no response, so posted on BreachForums instead.

They combined the 2025 breach data with the 2023 information, creating a single 34GB CSV file with about 201 million merged entities.

That means all the metadata in the 2025 breach can be linked to the email addresses and profile names from the 2023 incident.

Do the numbers add up?

The latest data from Social Shepherd shows X has 335.7 million users worldwide, so where did the other 2.5 billion profiles come from?

It’s possible that the leak includes historic or experimental data; information on banned or inactive profiles; or merged legacy and modern data. There may also be non-user entities like API accounts.

This is speculation, as is ThinkingOne’s suggestion that the information is from an X employee. It is, however, a plausible hypothesis.

So far, X has not responded to request for comment.