X Account Hacked: How to Reclaim It (2026 Guide)
TL;DR
If your X account was hacked, start by securing the email linked to it, then use X’s password reset or the official hacked-account form. If the attacker replaced your credentials entirely, legal escalation under the DSA or a professional recovery service is your most reliable path to getting access back.
How to Know Your X Account Has Been Hacked
Not every login problem is a hack, but some signals are unmistakable. Watch for these warning signs:
- You receive an email from X saying your email address, phone number, or password was changed — and you didn’t do it.
- Posts, replies, or direct messages appear that you never sent.
- Your account suddenly follows hundreds of accounts you don’t know.
- You’re logged out without warning and your password no longer works.
- Friends or followers contact you about suspicious messages sent from your handle.
If you recognise any of these, act immediately. Speed matters — the faster you respond, the better your chances of retrieving the account before the attacker locks you out completely.
Step 1: Secure Your Email Account First
Most people rush to X’s login page before doing this. That’s a mistake. The attacker likely reached your X account through your email. If they still have access to your inbox, they can intercept every password reset X sends, keeping you locked out indefinitely.
Before anything else, open your email provider and take these actions:
- Change your email password to a strong, unique one you don’t use anywhere else.
- Enable two-factor authentication on your email account.
- Check for unknown forwarding rules or recovery addresses you didn’t add.
- Review recent login activity and revoke any sessions you don’t recognise.
Only once your email is fully secured should you move on to X’s recovery options.
Step 2: Try the Standard Password Reset
If the attacker has not yet changed the email or phone number on your account, the standard password reset will often work:
- Go to x.com/login and click Forgot password?
- Enter your username, email address, or phone number.
- Choose where to receive the verification code (email or phone).
- Enter the code and create a new, strong password.
- Immediately go to Settings → Security and account access → Sessions and log out all other active sessions.
This approach works well when the attack was credential-based — for example, a leaked password reused from another service — and the attacker hasn’t changed your contact details yet.
Step 3: Submit X’s Official Hacked Account Form
If the attacker has already changed your email address or phone number, the standard reset will fail. You have no way to receive the reset code. X has a dedicated recovery path for this situation.
Go to X’s compromised account form and provide:
- Your @username or profile URL.
- The original email address or phone number you registered with, before any changes.
- A clear description of what happened, including when you first noticed the problem.
- Any supporting details that confirm ownership: post dates you remember, DMs you sent, linked apps you used.
X’s safety team reviews these cases individually. Response times range from 24 hours for straightforward cases to 3–7 days when all credentials have been replaced.
X will often ask follow-up questions to verify your identity. The more specific your initial submission, the faster the process moves.
Step 4: Revoke Unauthorized App Access
Once you regain access, change your password and then address a less obvious risk: OAuth tokens. Many attacks persist through third-party apps that were granted access to your account. A password change alone won’t revoke those tokens.
Go to Settings → Security and account access → Apps and sessions → Connected apps. Review every app listed. Revoke access to anything you don’t recognise or no longer use. This closes back doors that attackers leave in place.
Step 5: Harden Your Account Against Future Attacks
With your account secured, take steps to prevent a repeat:
- Enable two-factor authentication. Go to Settings → Security and account access → Security → Two-factor authentication. Use an authenticator app (such as Google Authenticator or Authy) rather than SMS. Phone numbers can be targeted via SIM-swapping.
- Use a unique password. If your X password was reused from another site, that’s almost certainly how the attack happened. A password manager makes unique passwords practical.
- Check active sessions regularly. Settings → Security and account access → Sessions shows all devices currently logged in.
- Be selective with third-party apps. Only grant account access to services you actively use and trust.
When Self-Recovery Fails: Your Legal Options
X’s support team sometimes fails to respond, rejects valid claims, or stops communicating mid-process. If you’ve exhausted the standard recovery steps without success, legal routes remain open.
As an EU resident, the Digital Services Act (DSA) requires platforms like X to provide effective, accessible redress mechanisms. Under Article 17, you have the right to contest decisions affecting your account access. You can file a formal complaint with your national Digital Services Coordinator if X fails to respond appropriately.
Under GDPR Article 15, you also have the right to access personal data X holds about you — including your account content. A formal Subject Access Request sometimes triggers human review when automated support channels have failed.
If legal self-advocacy feels complex or you’ve already tried it without results, professional account recovery is a practical alternative. Recover uses legal arguments grounded in GDPR and the DSA to escalate cases to real reviewers inside X — bypassing automated queues. The service achieves a 97% success rate, with 96% of cases resolved within 30 days. No account password is required at any stage, and there is a full money-back guarantee if recovery isn’t possible. For context on pricing, personal profiles start at €290, with a pay-after-recovery option available for a €19 deposit.
If the compromise led to policy violations posted by the attacker — which sometimes triggers an additional suspension — see our guide on appealing an X account suspension. For a broader comparison of hacked-account recovery across platforms, our article on recovering a hacked Instagram account covers similar legal frameworks in depth.