X (Twitter) Account Hijack Recovery: Delete Unauthorized Posts and Secure Your Account

X (formerly Twitter) account hijacking happens through phishing, credential stuffing, malicious third-party apps, and session cookie theft. By the time you notice something is wrong, the attacker may have already posted spam, sent scam DMs to your followers, or changed your profile information. Minimizing damage requires two parallel tracks: regaining access to your account and removing the content the attacker posted.

The X API delete endpoint has a critical constraint that applies even during post-hijack cleanup.

"Deletes a specific Post by its ID, if owned by the authenticated user."

Source: X API Delete Post https://docs.x.com/x-api/posts/delete-post (Verified: 2026-06-19)

This means you can only delete posts through an authenticated session that you control. Once you regain access, posts made by the attacker during the hijack can be deleted through your restored session. Below is a step-by-step recovery procedure organized by priority.

Six Signs Your X Account Has Been Compromised

Account takeovers do not always begin with a full lockout. In many cases, the attacker maintains quiet access while operating in the background. If you observe even one of the following signs, begin recovery procedures immediately.

• Posts you did not write: Crypto promotions, giveaway scams, or suspicious links appearing on your timeline
• DMs you did not send: Messages to your followers containing phishing URLs or scam content
• Unusual follow/unfollow activity: Your account is following hundreds of unknown accounts
• Profile modifications: Display name, avatar, bio, or website link have been changed without your authorization
• Email or phone number change notifications: X sent you an alert about contact information changes you did not request
• Login alerts from unknown locations: Sign-in notifications from IP addresses or devices you do not recognize

The McAfee security blog summarizes these indicators clearly.

"Unexpected posts: Tweets you didn't write, especially spam, crypto links, or promotions. Unusual DMs: Messages sent from your account that you don't remember sending. Account behavior changes: Random follows, unfollows, blocks, or profile changes you didn't approve."

Source: McAfee Blog "X (Twitter) Account Hacked: What to Do Right Now" https://www.mcafee.com/blogs/tips-tricks/x-twitter-account-hacked-what-to-do-right-now/ (Verified: 2026-06-19)

The email change notification is particularly dangerous because it is the attacker's method of blocking your recovery path. If you find this notification, look for a "reverse this change" security link in the email body and act on it immediately, as these links expire quickly.

Step-by-Step Account Recovery

Once you confirm the hijack, follow these steps in order. Skipping steps or changing the order can allow the attacker to regain access.

Step 1: Reset Your Password

If you can still log in, change your password immediately from X settings. The new password must be unique and not reused from any other service. If you are locked out, use the "Forgot password" flow on the login screen.

Step 2: Verify and Reverse Email Changes

Attackers often change the registered email address to prevent password resets. Check your inbox for X notification emails about email changes. If a security reversal link is included, use it before the expiration window closes.

Step 3: Secure Your Email Account

X password resets go through your email. If the email account itself is compromised, the attacker can reset your X password at will. Change your email password and enable two-factor authentication on the email account as well.

Step 4: Force-Logout All Active Sessions

Changing your password does not automatically terminate mobile app sessions. Go to Settings > Security and account access > Apps and sessions > Sessions, and select "Log out of all other sessions." This forcibly disconnects any browser or app session the attacker was using.

Identifying and Bulk Deleting Unauthorized Posts

After regaining access, the next priority is removing content the attacker posted. Manual deletion works for small volumes, but hijack scenarios often involve dozens or hundreds of spam posts.

How to Identify Unauthorized Posts

Use the following criteria to filter posts for deletion.

• Filter by date: Focus on posts made during the hijack window
• Content-based filtering: Crypto links, spam URLs, unfamiliar promotions, and replies you did not write are all deletion targets
• Check DMs: Attackers frequently send phishing messages to your followers from your account

Rate Limits for Bulk Deletion

The X API enforces rate limits on deletion operations, even during emergency post-hijack cleanup.

"You can manage 50 Posts per 15-minute window for posting, deleting, and other POST operations."

Source: X API Manage Tweets Rate Limits https://docs.x.com/x-api/posts/manage-tweets/limits (Verified: 2026-06-19)

Deleting 100 unauthorized posts requires at least 30 minutes. Deleting 500 posts takes at least 2.5 hours. Tools like X Deleter handle the rate limit timing automatically, cycling through deletion batches with built-in wait periods. For a detailed walkthrough of the bulk deletion process, see the X post bulk deletion guide.

Revoking Connected Apps and Active Sessions

The most commonly overlooked recovery step is revoking third-party app access. Attackers sometimes authorize a malicious app while they have control, creating a persistent backdoor that survives password changes.

How to Audit Connected Apps

Navigate to Settings > Security and account access > Apps and sessions > Connected apps. Apply the following criteria:

• Unrecognized apps: Revoke immediately
• Apps not used in months: Revoke and re-authorize only if still needed
• Apps with "Read and Post" permissions: These can post on your behalf without additional authentication. Evaluate whether each app truly needs write access

Security researchers consistently identify connected app oversight as the leading cause of re-compromise after an initial hijack.

"The biggest mistake people make after their X account gets hacked: Only changing their password. If the attacker still has access through connected apps, a compromised email account, or saved sessions, they can regain control quickly."

Source: McAfee Blog "X (Twitter) Account Hacked: What to Do Right Now" https://www.mcafee.com/blogs/tips-tricks/x-twitter-account-hacked-what-to-do-right-now/ (Verified: 2026-06-19)

The safest approach is to revoke all connected apps at once, then re-authorize only the ones you use daily and trust. Regular app audits should also be part of your ongoing security routine. See the account hijack prevention guide for proactive measures you can take before an incident occurs.

Security Settings to Prevent Re-Compromise

After access recovery and unauthorized post deletion, strengthen your security configuration to prevent future incidents.

Enable Two-Factor Authentication

X has discontinued SMS-based 2FA for non-Premium users. Current options include authenticator apps (Google Authenticator, Authy) and hardware security keys (YubiKey). Authenticator app-based FA ensures that even if your password is compromised, the attacker cannot log in without the second factor.

"When you set up two-factor authentication, you add an extra layer of security to your account by requiring a temporary code or security key in addition to your password."

Source: X Help Center "About two-factor authentication" https://help.x.com/en/managing-your-account/two-factor-authentication (Verified: 2026-06-19)

Enable Login Verification

X offers a "Login verification" option that requires a confirmation code when signing in from a new device. Without this enabled, anyone with your password and 2FA code can access your account from any device. Turn this on immediately.

Use a Password Manager

Generate and store a unique password for X using a dedicated password manager such as 1Password, Bitwarden, or Dashlane. Browser-based password storage can be compromised if the browser itself is breached. A dedicated manager encrypts credentials in a separate vault.

Contacting X Support

If self-recovery fails, submit a request through X's official hacked account form. You will need the following information:

• Username (@handle): The hijacked account's username
• Last known access date: When you last had control of the account (approximate is acceptable)
• Original email address: The email used when the account was created, even if it has since been changed
• Description of the incident: Specific details about unauthorized posts and how you lost access

The form is available at X's Help Center.

X Help Center "Hacked or compromised account" form https://help.x.com/en/forms/account-access/regain-access/hacked-or-compromised (Verified: 2026-06-19)

Premium accounts typically receive a response within 24-72 hours. Free accounts may wait 1-3 weeks. If you do not receive a reply, resubmit with additional information. Including X Premium payment receipts or screenshots of previous posts can accelerate the verification process.

Post-Recovery Checklist and Ongoing Monitoring

Regaining access is not the end of the recovery process. Complete every item on the following checklist before considering the account fully recovered.

For at least three months after recovery, check your login alerts and connected app list weekly. Re-compromise typically occurs within weeks of the initial breach, using the same access path the attacker left behind. Cleaning up your entire post history alongside the unauthorized posts also reduces the attack surface for future incidents. See the account suspension risk guide to ensure your deletion activity does not trigger automated account restrictions.