X (Twitter) account hacked: what to do first and how recovery really works

Stanislovas Kalašnikovas

X (formerly Twitter) is a public platform where a takeover is immediately visible: posts in your name, cryptocurrency scams, offensive content, or phishing links via DM. Attackers can also gain access not just through passwords but through connected third-party apps (OAuth).

A Twitter account takeover can be used not just to control your account, but to deceive your audience—the platform may also suspend your account due to the attacker's content.

Common takeover methods on X

Weak or reused passwords, phishing “verification” pages, SIM-related issues (see SIM swap), and breached databases all play a role. A hacked email that receives X codes is a frequent root cause.

Warning signs

  • Tweets, likes, or DMs you did not send
  • New devices in security settings
  • Email or phone changed
  • Unexpected subscription or payment changes

If you still have access

Change your password, open Apps and sessions and log out of unknown devices, confirm email and phone, and turn on 2FA with SMS if that is easiest for you. Review connected apps with post access.

If you are locked out

Start from the login screen’s password reset on x.com or the official app. If the attacker changed the email, prior security notifications to your old inbox may still help. Follow only in-app flows—support impersonators are common on X itself.

Reputation and scam DMs

If followers received wallet scams or phishing links, delete what you can, post a brief warning, and report the compromise to X. For similar patterns on other networks, see Instagram or Facebook guides.

Preventing another takeover

Use a unique password, keep email secured, and avoid browser extensions that read page content on social sites. Leaked passwords should be changed everywhere they were reused.

When recovery is stuck

Automated systems can deadlock when factors conflict. If you have a business need or repeated failures, RelyShield account recovery can map the next best steps.

X account compromised—is your audience safe?

If your Twitter account was compromised, it's important not just to regain access but to stop potential damage to your reputation and audience as quickly as possible. We help when email, phone, and platform recovery don't align.

Start account recovery Consultation

Frequently asked questions

Can I recover X without email access?
It is harder. You may need phone-based recovery or X’s identity flows. Securing or recovering the email remains important long term.
Why did my username change?
Attackers sometimes swap handles to sell them or to hide traces. Check support options for handle disputes after you prove ownership.
Are “Twitter support” accounts in DMs real?
Almost never. Real notices usually arrive via email or in-app system messages, not random DMs asking for fees.
Should I delete the account?
Usually recover first; deletion can erase evidence and sometimes makes reclaiming your brand harder.
Does 2FA stop all hacks?
It stops most credential-based takeovers. You still need safe email and awareness of phishing that tries to steal codes.