[ThinkingOne]

Sometimes, you feel crazy... you're certain of something, but it seems that everyone is trying to convince you otherwise. That's how I feel right now. The biggest social media breach ever, info on 2.8 billion user accounts leaked, that could have emails/phones/passwords not yet leaked... and lots of uninformed "Oh, they only have 335M users, the breach proves X is 80% bots" and "It's just a mix of old public data", tied in with a "Could there really be 2.8 billion accounts?" (to which no security researchers respond). Hopefully I'm not beating a dead horse here.

So, I've prepared a detailed analysis. Like about 8 page long (but intended for non-geeks to be able to read). A few key points:

Yes, X definitely has/had at least around 2.8 billion "live" accounts (e.g. ones that you can go to their page at X).

No, it's not 335M "live" accounts and 2.5B bots.

This came from someone who had access to the Twitter database that was restricted and not known to the outside world (either a hacker or employee)... in which case from a security standpoint you have to assume that they have emails, phones, passwords (unless/until X investigates and can state otherwise).

The file is available at https://gofile.io/d/l6lbY9.

I'm happy to answer questions, help security researchers find the files if needed, etc. PMs here are easy, but you can also contact me via Telegram at @ThinkingOne.

[retard]

beautiful read and analysis, as always

It is most likely an employee, with one of his posts on the thread being "Not on this one" when answering a question about hashes which COULD indicate that there is another version in his hands with emails/hashes

As for the numbers, there are definitely more than 600m real twitter users, i VM twitter a lot and i have at least 700M existing emails, which doesnt mean all of them are real but there definitely are more than 250m
A decent part is botted accounts, if you sort through the data you will find accounts in the format name + x amount of numbers (same format as default generated usernames from twitter when signing up via gmail etc) which are usually correlated and created in the same date/month,. with most of them being in 2022

It is NOT bruteforced, while it is possible to manually bruteforce and manually scrape, actually coming up with the usernames makes it take 50+ times as long as there are not over 2b leaked unique usernames combined
for reference, the best tools to scrape will let you do at best, 40 million a day, but to come up with the usernames needed when most of them dont even exist in leaks is impossible , one would have to send twitter a minimum of 200 billion requests, which would take over 10 years, in 2022 scraping usernames was way easier but even at 500 million requests a day, you would need a year, minimum.

The actor most likely had an endpoint where he could get usernames through IDs , an existing list of users or the raw data itself

Nevertheless, one of the biggest leaks of the decade, even if it is only usernames

[ThinkingOne]

Nevertheless, one of the biggest leaks of the decade, even if it is only usernames

Great information, thank you.

The funny thing is that this would have been all over the news in January if the person who posted it here added a few simple words (true or not), like "More to come" or "I removed the phones, emails, and passwords" or "This is all I feel comfortable releasing".

But I have to love one of the response from xAI's Grok: "@Grok advises X to investigate the March 2025 data breach (2.8B records, possibly bots), notify users, secure systems, and review internal security due to insider job hints. X should issue a public statement, offer identity monitoring to rebuild trust, and ensure legal compliance, given no official response yet." Will X listen to their new stepbrother Grok?

[Intro]

very interesting read thankyou

[mentorific]

very nice analysis you should do this more often. I found myself in the 200M merged file including email so that leak/scrape/whatever is also real data

[nig]

have u reposted the data? ik it was originally split into multi files. id combine them into 1 400gb file then compress

[ThinkingOne]

have u reposted the data? ik it was originally split into multi files. id combine them into 1 400gb file then compress

I haven't posted the 2.8 billion breach, either as leaked or altered. I'm not the source, and need to be careful what I do.

Personally, I prefer to have as close to the original files as possible (the 2.8B dataset that was leaked wasn't the original files, so we don't know what else might be in there). Each time data is manipulated (split, combined, fields added/removed, converted, etc.), there's a decent chance of error if not done carefully.

I also like the idea of a single 400gb file: when I add the 2.8 dataset to my database, I'll almost certain do it as a single file. I've got a few files that big, and if it is all the exact same data, one file is simpler.

[ThinkingOne]

Now it's at the point that I'm starting to hope that a known website does an article answering some of the key questions (and ignoring the whole 200M piece, that's 2-year-old news).

The Twittersphere (and Reddit, and a few other places) are trusting each other to provide them the news. My god, some get really crazy. One guy thinks that Elon Musk leaked the data(???), another guy thinks that xAI leaked the data to they would have an excuse to use it as public data(???). And the dumber folk seem not to understand that if X has 2.8 billion accounts but reports 335M or 600M users, that doesn't mean that there are 2 billion bots (any more than it would mean that there are 2 billion grandmothers using it!).

MSN covered it... sort-of. They are using a story by ABP Live Tech, that reports what was said by Mashable, that they heard from Safety Detectives that heard it from me. I'm losing count, is that 5th hand information? Theirs says "Hackers Claim Over 200 Million Email IDs Leaked" (AI headline?). Safety Detectives is typically quoted as the "source" of this news (apparently, journalism works on the "I had dibs!" system... once a site that has enough clout reports something, they are the source), despite HackRead being the first to cover it.

Tons of news aggregators likely using AI to generate their articles based on others, adding misinformation/confusion.

Forbes and Newsweek did good articles, but perhaps since there are no security researchers willing to go on the record, no media has made it really clear yet that [1] the new breach was 2.8 billion accounts (that 200M is old news and a different breach), [2] there really are 2.8 billion X accounts, [3] the 2.8 billion accounts are live accounts, not deactivated accounts, bots, spam accounts, etc., [4] this was a breach, not a public scrape, it used restricted access to the Twitter database... and unless X can say otherwise, we have to assume that other data (like phones, emails, passwords) was stolen as well.

Maybe the security researchers and major news sites are afraid of the ramifications due to the political environment?

[torbsteph]

Thank you for the interesting analysis.
Interesting that Musk is carrying out his absurd handover from X to xAI now of all times.
Could also have something to do with this data breach to cover up this breach and his financial problems with X from creditors. After all, Musk borrowed an immense sum from a major bank to buy Twitter from shareholders.

See Musk "DESPERATELY Bails Himself Out with IMAGINARY $80B!" from Stephen Woodford
And last Video from Mark Thompson.

[chanvria]

Sometimes, you feel crazy... you're certain of something, but it seems that everyone is trying to convince you otherwise. That's how I feel right now. The biggest social media breach ever, info on 2.8 billion user accounts leaked, that could have emails/phones/passwords not yet leaked... and lots of uninformed "Oh, they only have 335M users, the breach proves X is 80% bots" and "It's just a mix of old public data", tied in with a "Could there really be 2.8 billion accounts?" (to which no security researchers respond). Hopefully I'm not beating a dead horse here.

So, I've prepared a detailed analysis. Like about 8 page long (but intended for non-geeks to be able to read). A few key points:

Yes, X definitely has/had at least around 2.8 billion "live" accounts (e.g. ones that you can go to their page at X).

No, it's not 335M "live" accounts and 2.5B bots.

This came from someone who had access to the Twitter database that was restricted and not known to the outside world (either a hacker or employee)... in which case from a security standpoint you have to assume that they have emails, phones, passwords (unless/until X investigates and can state otherwise).

The file is available at https://gofile.io/d/l6lbY9.

I'm happy to answer questions, help security researchers find the files if needed, etc. PMs here are easy, but you can also contact me via Telegram at @ThinkingOne.

The only things you proved is that you dont know what scrapping nor API abuse are.
Thats why you dont write an analysis when your mind is already set on a conclusion. Thats not an analysis, its a thesis statement at most.
But eh at least Forbes used your lack of knowledge to spread FUD coz they hate musk and trump or something.

for reference, the best tools to scrape will let you do at best, 40 million a day, but to come up with the usernames needed when most of them dont even exist in leaks is impossible , one would have to send twitter a minimum of 200 billion requests, which would take over 10 years, in 2022 scraping usernames was way easier but even at 500 million requests a day, you would need a year, minimum.

I guess everyone is limited to 1 box and 1 account to scrap or send their API requests. ¯\_(ツ)_/¯
This kind of half-baked thought is always a nice reminder that im not reading an XSS post.


Sorry if my post sounds mean but please stop talking about things you dont master.