If you woke up to a bright red notification from your security provider today, you’re not alone. A database linked to X.com has been found circulating the web, and the numbers are staggering: 4 million records have been exposed.

While the “scraping” reportedly happened in January 2025, the data is now fully out in the wild. Here is what you need to know, why it matters, and how to lock down your digital life immediately.

The Anatomy of the Leak

This wasn’t a “traditional” hack where someone broke into a vault. Instead, it was data scraping—a process where bots harvest information that is technically “public” or semi-private through loopholes in a website’s code.

What exactly was leaked?

  • Identities: Your Name, Username, and Biography.

  • Contact Info: Primary and alternate Email addresses and Phone numbers.

  • Social Footprint: Your Follower count and Location data.

Why This is More Dangerous Than It Looks

You might think, “So what? My name and follower count are already public.” Here is the “Shock Value” reality: This isn’t about one single piece of info; it’s about the puzzle.

  1. Deanonymization: If you run an anonymous account to speak freely, your “private” email is now linked to that handle. Your mask just slipped.

  2. Hyper-Targeted Phishing: Scammers won’t just send a random “Click here” email. They will address you by name, mention your follower count, and use your location to make a fake “Security Alert” look 100% authentic.

  3. Credential Stuffing: Hackers take that leaked email and try it on every other site (Amazon, Banking, Gmail) to see if you’ve reused your password.

What You Must Do Right Now

Step 1: The Password Purge If you haven’t changed your X password since January 2025, do it now. If you use that same password anywhere else, change it there too. Use a password manager to ensure every site has a unique, complex key.

Step 2: Fortify with 2FA Turn on Two-Factor Authentication (2FA). Pro-tip: Don’t use SMS (text) codes, as phone numbers were part of this leak. Use an Authenticator App (like Google or Microsoft Authenticator) or a physical security key.

Step 3: Scrub Your Bio Limit the amount of personal “metadata” you leave in your profile. Do you really need your city and your birth month in your bio? Every detail is a weapon for a social engineer.

Step 4: Watch Your Inbox Be extremely skeptical of any “official” emails from X.com over the next few months. If it asks you to log in, don’t click the link in the email—go directly to the website in your browser.

The Bottom Line

In 2026, data is the new currency, and unfortunately, we are all being spent. Platforms like X are massive targets, and while they “mask” lawlessness behind tech jargon, the reality is that you are your own best line of defense.

Don’t wait for the “false positive” to become a real identity theft. Secure your accounts today.

Did you get this alert? Tell us in the comments which data points were flagged for you—let’s track how wide this really goes.

Peer-to-peer note: Since this incident involves scraping, it’s a good time to remind your audience that “Private” settings on social media are often more like a “Suggested” setting for determined scrapers. Stay vigilant!