X account compromise usually starts in the recovery path, not in the feed, through weak email security, reused passwords, or phishing prompts.
Protection improves when you harden identity controls first, then review sessions and app permissions with a strict baseline.
Control-path hardening
- Secure the email account tied to X, because it controls password resets.
- Use a unique password stored in a password manager.
- Enable two-factor authentication (2FA) and store backup codes safely.
- Review active sessions and connected apps and remove anything you do not recognize.
- Reduce contact risk: lock down DMs and limit who can tag or mention you where possible.
Safety note: Do not share verification codes in DMs or email. Any request for a code is almost always an attempt to take over an account.
The most common takeover routes
| Route | What it looks like | Defense |
|---|---|---|
| Password reuse | Attacker logs in with a leaked password | Unique password in a manager |
| Phishing links | Fake login pages and urgent account warnings | Use official paths, not message links |
| Session persistence | Attacker stays logged in after you change a password | Sign out other sessions and remove devices |
| Recovery compromise | Email takeover enables password reset | Secure email first |
Step 1: Secure the control plane
If your email inbox is compromised, attackers can reset X and many other accounts. Start with a unique email password, strong authentication, and a review of recovery options and signed-in devices.
Step 2: Use unique passwords and strong authentication
Use a password manager and stop reuse. Then enable 2FA and store backup codes safely so you can recover without panic.
Related: Common password mistakes.
Step 3: Audit sessions and connected apps
Takeovers sometimes rely on access tokens rather than passwords. Review active sessions and connected apps periodically, especially after installing third-party tools.
Step 4: Reduce scam blast radius
If your account is public, compromise is often used to scam your followers. Reduce blast radius by limiting DMs and being cautious about “verification”, “copyright”, and “support” messages that pressure you to act fast.
Baseline: How to protect your online information.
If you think your account was hacked
- Secure email first, then change the X password from a trusted device.
- Sign out other sessions and remove unknown devices and apps.
- Warn contacts through a trusted channel if scam posts were made.
Workflow: Been hacked? What to do first.
X security becomes predictable when you stop relying on “strong passwords” alone. Uniqueness, 2FA, and session hygiene remove the common takeover routes.
That also makes recovery calmer. If you can rotate credentials, revoke sessions, and protect recovery channels quickly, a takeover becomes a short disruption instead of a long, reputation-damaging event.
Build the habits you can execute under pressure: verify, contain, rotate, and recover into a baseline you trust. Those habits matter more than any specific UI label.