When a second factor disappears, you have to treat it as a security incident until you can prove it was a platform change. The most common failure mode is simple: an attacker gets a session or your email inbox, then weakens your controls so you cannot kick them out later.
| Start here | Why it matters | What “good” looks like |
|---|---|---|
| Secure your email inbox first | Email is the control plane for most resets and alerts | Inbox has 2FA, no suspicious forwarding rules, recent logins reviewed |
| Change the X (Twitter) password from a clean device | Stops password reuse and forces re-auth in many places | Unique password stored in a password manager |
| Review active sessions and connected apps | Stolen sessions survive password changes in some scenarios | Only your devices are signed in, unknown apps revoked |
| Re-enable a strong second factor (not SMS) | SMS is vulnerable to SIM swapping and port-out abuse | Authenticator app, security key, or passkey enabled where available |
| Decide if this was policy or compromise | Response differs if the platform forced a change | You can point to a known platform announcement or a clear compromise indicator |
Rule of thumb: if you did not change the setting, assume an attacker did. Work the checklist, then downgrade to “policy change” only if the evidence fits.
Stabilize the control plane before you touch X settings
If your email account is compromised, every “fix” inside X can be undone. Take 10 minutes and lock the inbox first.
- Change your email password and enable two-factor authentication (2FA) on the email account.
- Check for mailbox forwarding rules, “send mail as” delegates, and recently added recovery emails or phone numbers.
- Review recent sign-in activity and sign out of sessions you do not recognize.
- If you use SMS codes on email, treat that as temporary and plan to move to an authenticator app, a security key, or a passkey if your provider supports it.
Separate “platform change” from “account takeover”
There are legitimate reasons 2FA can change, but they are less common than compromise. Work through the decision points below.
Signals it may be a platform or subscription policy change
- You received an official message explaining a required change (in-app notification and email), and the timestamps line up.
- Your account was enrolled in SMS 2FA and then it was automatically disabled after a policy cutoff.
- You can still log in, your email and phone on the account are unchanged, and there is no new device/session you do not recognize.
X announced in February 2023 that SMS-based 2FA would be limited to paid subscribers, and accounts that kept SMS 2FA enabled past the cutoff would have it disabled. Availability can vary by country and carrier.
Signals it is more likely compromise
- Your account email, phone number, username, or display name changed and you did not do it.
- You see logins from devices or locations you do not recognize.
- Posts, DMs, follows, or ad activity happened without you.
- You received password reset emails you did not request, or you got login codes when you were not signing in.
Common mistake: focusing only on the 2FA toggle. The usual root cause is a compromised inbox, a stolen session, or password reuse.
Kick out sessions and revoke connected apps
Attackers often keep access through a saved session (cookie/token) or a third-party app they authorized. Clean both.
- In X settings, review logged-in devices and active sessions. Sign out of everything you do not recognize.
- Review connected apps and revoke any app you do not actively use. If in doubt, revoke first and re-authorize later.
- If you manage brand accounts or shared accounts, review delegates/team access and remove anyone unexpected.
If you keep seeing your account “snap back” after changes, treat it as session hijacking or control-plane compromise, not a settings glitch.
Re-enable a stronger second factor (and make it recoverable)
Once your inbox is secure and sessions are cleaned, set 2FA back up using a method that survives SIM swap and phishing.
- Authenticator app (TOTP): good baseline protection. Store your authenticator recovery in a way you can actually recover later (for example, device-level backups plus a written recovery plan).
- Security key (FIDO2/WebAuthn): strong phishing resistance. Keep at least two keys if the account matters, so you have a backup.
- Passkeys: strong and user-friendly, but availability varies by device and platform. If supported, it is often the easiest “strong” option for non-technical users.
Enable backup options intentionally. Backup codes are only useful if you can find them during an incident, and “recovery email” is only useful if that inbox is already secured.
If you keep getting logged out or 2FA keeps changing
Repeated security changes after you lock down email and rotate passwords usually means one of these is still true:
- Your email account is still compromised (forwarding rule, OAuth access, or a second device you missed).
- Your phone number is being attacked, including SIM swap attempts or carrier account takeover. Review SIM swap risk and defenses.
- A device is compromised (malware, rogue browser extension, stolen session tokens). If signs point this way, start with how to detect spyware and remove unknown profiles or management configuration.
- You are being actively phished. Review phishing failure modes and how to identify scam emails.
If you cannot sign in
Use official recovery and support flows, and do not pay for “support” offered via DMs or random phone numbers. Start from X’s official help pages for compromised accounts and login verification issues, and keep all communication on the official domain.
Security setting changes are rarely “just a glitch”. Once you can explain why the change happened and you control the inbox, the devices, and the second factor, the problem usually stops repeating. If you cannot reach that stable state, assume there is still a hidden access path and keep working outward from email and sessions until only your devices can change security settings.