Ask HN: X account hacked again – no email when attacker changed the email? How?

by hadaoaxb on 6/20/2025, 7:14:55 PM with 5 comments
Hey folks, Hey everyone, I’m trying to figure out how this happened and hoping someone here might know more about how X’s (Twitter) system works.

First time, my company’s X account was hacked 2 weeks ago. Totally my fault — I clicked on a phishing email and gave them the password and even uploaded some company documents and my ID. But after 12hrs, X support helped me recover the account, I changed the password, enabled all 2FA options (eventhough I did it from the beginning but hacker bypassed it), and they told me they revoked all sessions. Since then, I’ve only been logging in from the official mobile app and all other staff only got delegated, not login access.

Second time, 2 weeks later (yesterday)— I suddenly get kicked out of the app, all my team delegator members lose access too, and when I try to log back in, it says it can’t find my email. . But this time, I never got any notification from X saying the email was changed like the first time.

My email is totally secure — no sign of compromise, no new login sessions.

SIM is fine. No new logins. I didn’t click on anything sketchy nor install any apps recently since that first phishing attack.

I’m wondering:

1. Can someone change the email on an X account without triggering a notification to the original email?

2. Does X suppress those if someone contacts support and claims the original email is compromised after 2 weeks?

Would love to hear if anyone else has seen something like this or knows how the backend systems work. I'm still waiting on X support, but this is really bothering me.

  • by acheong08 on 6/20/2025, 10:07:56 PM

    My Twitter account was hacked recently as well. A seemingly impossible hack: randomly generated password stored in a self hosted password manager accessible only from my wireguard network. I log everything and no signs of access from an IP outside my normal range. The email is also self hosted with a randomly generated password stored on an external device (not password manager since email is more important).

    I suspect a third party app has been compromised. https://help.x.com/en/managing-your-account/connect-or-revok...

    Specifically, the only app authorized on my account was Twitcasting (https://en.m.wikipedia.org/wiki/TwitCasting).

    The attacker seemed to have used it to add additional apps onto my account and control it without having my password.

  • by viraptor on 6/20/2025, 9:36:44 PM

    Is there a chance that your email for owned as well and the notification has been filtered/deleted?