Twitter API change in June 2021 introduced vulnerability allowing anyone to look up Twitter accounts via email/phone. Threat actors scraped at scale before patch in Jan 2022. 200-235M email addresses linked to Twitter profiles posted for sale/free on hacking forums in Jan 2023. Dataset merged email addresses (private) with public profile data (username, bio, followers). Ireland DPC opened GDPR investigation. Twitter/X did not formally notify affected users. No passwords included.