How to Avoid Getting Hacked on X

The message "Account hacked" is displayed in red on a computer screen.
Photo ID: 15329609 © ruskpp/

If the SEC and Google owned security firm Mandiant can have their X (formerly Twitter) accounts hacked, so can you! That’s why in today’s post I’m going to walk you through how to secure your X account. 

In what follows, I’m going to assume you are still using a password for X. However, X is introducing passkeys, a more secure password alternative. Right now, passkeys are only available for iOS users, but, once they are more widely available, I’ll write a guide on securing your X account with passkeys, too!

Table of Contents

Basic security: Your password 

stylized 3D password form web browser login floating over orange infinite Background; green checkmark secure password and protection concept; 3D Illustration
Photo ID: 643122260 © Imilian/

Let’s start with the basics. You probably already know you need to use a unique, strong password, but knowing password best practices and actually implementing them are two different things! So take a moment right now to check that your X password is at least 14 characters long, uses a mix of upper and lowercase letters, numbers and special characters, and is not easily guessable. Also, double check you’re not reusing that password elsewhere!

If you struggle to create and remember passwords on your own, you can consider getting a password manager to help. They’ll generate strong passwords for you and will fill them in whenever you need to login. Bitwarden and Proton Pass have free plans that are worth checking out and 1Password is a great option if you don’t mind shelling out $2.99 a month.

Basic security: 2FA

A strong and unique password is not enough to secure your account, however. The SEC and Mandiant presumably protected their X accounts with good passwords, but still got hacked. The reason: they did not have two factor authentication (2FA) enabled. So, you should absolutely turn on 2FA for your X account!

Two-factor authentication
Text message (unchecked)
Authentication app (checked)
Security key (checked)
X’s 2FA options. Don’t enable SMS-based 2FA! Screenshot from X.

To check your 2FA settings on X, go to “Settings and privacy,” “Security and account access,” “Security” and then “Two-factor authentication.” Non-premium users can use an authenticator or security key to protect their accounts, while premium users also have the option of receiving 2FA codes via SMS. 

If you are a premium user, please DO NOT opt for SMS-based 2FA! It is the least secure option because it is relatively easy for a cybercriminal to steal your phone number in a SIM-swap. They’ll then be able to receive any 2FA codes sent to you via text. Yikes!

Authenticators are a much better option than SMS codes for most people. While Google Authenticator, Authy and Microsoft Authenticator are some of the most well-known apps, I would recommend 2FAS, ente Auth or Aegis, depending on your needs. You can check out my review of ente Auth, as well as my comparison posts on Authy vs 2FAS and Authy vs Aegis for more info.

If you’re looking to maximize the security on your X account, however, you’ll want to invest in a security key. A security key is a physical device that looks a bit like a USB stick. You connect it to the device you’re logging in on, either through a connector or by using NFC, and tap a button on the key to authenticate. 

The great thing about security keys is that they are phishing resistant, so attackers who try to trick you into logging in on a phishing site cannot take over your account. This sets security keys apart from authenticators and codes sent via SMS, as both these forms of 2FA are vulnerable to phishing attacks.

Next steps

A strong, unique password together with 2FA will go a long way towards keeping your X account secure. But there’s still more you can and should do to protect your account.

Remove your phone number

X's Account Information UI
Username @safenotscammed
Phone redacted
Email redacted
Verified No
Removing your phone number from X can prevent attackers from SIM-swapping you and resetting your password. Unfortunately, you need a phone number to submit community notes, which is the only reason I have not removed mine. Screenshot from X edited in Canva.

If you can, consider removing your phone number from your X account entirely. Why? Because X allows you to reset your password via SMS if you don’t have 2FA enabled. This means that if you haven’t turned on 2FA or if it gets mistakenly disabled, then hackers can reset your password and take over your account if they SIM-swap you. This is exactly what happened to the SEC! Learn from their mistakes!

While you need a phone number associated with your X account to purchase a premium subscription, you can remove it later without losing access to your premium account. However, you do need to have a phone number associated with your account to submit community notes.

To remove your phone number from your X account, go to “settings and privacy,” “your account,” then “account information.” Click on your phone number and you’ll be given the option to delete it.

Enable password reset protection

X's password reset protection UI
Additional password protection
Enabling this setting adds extra security   to your account by requiring additional information to reset your password. If enabled, you must provide either the phone number or email address associated with your account in order to reset your password.

Password reset protect: enabled
Password reset protection means bad actors need to know the email address associated with your account before attempting to reset your password. Screenshot from X.

The next action you can take to secure your X account is to turn on password reset protection. This will stop bad actors from sending password reset requests unless they also know your email address. You can turn it on by going to “setting and privacy,” “security and account access,” and “security,” and then scrolling to “additional password protection.” You can then just click the slider to enable password reset protection.

As password resets are sent to your email account, it’s a good idea to take a moment to make sure your email is secured correctly. That means checking you’re at least using a strong and unique password and have turned on 2FA for your email account.

Check there is no suspicious activity 

X's security and account access UI

Manage your account's security and keep track of your account's usage including apps that you have connected to your account.

Apps and sessions
Connected accounts
It’s a good idea to periodically check these settings to make sure nothing seems amiss. Screenshot from X edited in Canva.

While you’re securing your X account, it’s also a good idea to check out the “Apps and sessions,” “connected accounts” and “delegate” settings, all of which can be found in the “security and account access” settings tab.

Under the “Apps and sessions” category, you can look at all the apps connected to your accounts, see a list of devices where you are currently logged in, and examine your login history. Revoke access to any apps you don’t recognize or no longer need and log out of any unfamiliar devices. Also, change your password if anything is amiss to make sure your account is secure.

The “connected accounts” category shows you any Apple or Google accounts connected to your X account. Disconnect anything that is unfamiliar and change your password to be sure no-one else has access to your account.

The “delegate” settings allow you to give another X user control over your account. So head to “members you’ve delegated” to make sure no-one can control your account but you!

Watch out for phishing and malware

Once you’ve worked through the steps I’ve outlined here, your X account should be in good shape. However, security is not a one and done thing. Phishing attacks and malware still pose a risk to your account and scammers are always coming up with new ways to trick you. So be wary of unsolicited emails or direct messages and be careful when downloading software onto your devices.

The takeaway

Following these six steps can help keep your X account secure:

1. Use a strong and unique password
2. Enable 2FA (not SMS-based 2FA)
3. Remove your phone number from your account
4. Enable password reset protection
5. Check the security settings for unfamiliar apps, devices etc
6. Be on the lookout for phishing and malware

Taking a bit of time to walk through these steps now will save you the frustration of trying to recover a hacked account later!

Leave a Comment

Your email address will not be published. Required fields are marked *