← All breach guides

Twitter / X Data Breach — Exercise Your GDPR Rights

Twitter (now X) has experienced multiple data incidents since 2022, exposing private contact details of millions of users. EU residents have full GDPR rights over data held by Twitter International in Dublin.

⚖️ Regulatory action: Twitter was fined €450,000 by the Irish DPC in 2022 for failing to notify the DPC of a 2019 breach within the required 72-hour window.

What happened

2023 200 million users affected

A dataset containing 200 million Twitter users' email addresses was published online, compiled via a vulnerability in Twitter's API.

Data exposed:
  • Email addresses
  • Twitter usernames
  • Profile names
2022 5.4 million users affected

A vulnerability in Twitter's API allowed attackers to match email addresses and phone numbers to Twitter accounts, exposing private contact details of 5.4 million users.

Data exposed:
  • Email addresses
  • Phone numbers
  • Account details
  • Profile information

What you can do

Twitter/X holds significant personal data including your tweets, direct messages, ad targeting profile, location history, and device data. Post-breach, a GDPR request is the fastest way to audit what they have.

You have two key rights under GDPR:

Generate your access request

This letter is pre-addressed to Twitter International Unlimited Company, the official EU data controller for X (Twitter).

To: Twitter International Unlimited Company
One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland

Dear Data Protection Officer,

I am writing to exercise my rights under the General Data Protection Regulation (GDPR). As an individual whose personal data you process, I am requesting the following information:

  1. Confirmation that you are processing my personal data.
  2. A copy of my personal data.
  3. The purposes of the processing.
  4. The categories of personal data concerned.
  5. The recipients or categories of recipients to whom my personal data has been or will be disclosed.
  6. The envisaged period for which my personal data will be stored, or the criteria used to determine that period.
  7. The existence of my right to request rectification or erasure of my personal data, or restriction of processing, or to object to such processing.
  8. Information about the source of my personal data if it was not collected directly from me.
  9. The existence of automated decision-making, including profiling, and meaningful information about the logic involved.

Below is my information for your reference:

Name:
Email:
Address:

This request is of utmost importance to me and should not be ignored. The GDPR mandates that you respond within one month. Failure to comply may result in further action being taken.

Thank you for your prompt attention to this matter.

Sincerely,,

Text copied to clipboard

1. Copy and send this letter to the data controller of the organisation.

2. Follow up until you hear back. The GDPR requires a response within one month.

3. No response? Lodge a complaint with your local data protection authority.

No response after one month? File a complaint with your DPA →

Select your country to find your data protection authority:

Share: