Free tool

Is Your X Account Secure?

Football coaches are getting hacked. Run this 2-minute audit and fix the gaps before it happens to you.

0 of 12 checked

Two-Factor Authentication Critical

2FA enabled (authentication app or security key)

SMS-based 2FA is better than nothing, but an authenticator app (Google Authenticator, Authy) or security key is much harder to bypass.

How to check
  1. Open X Settings > Security > Two-factor authentication
  2. You should see at least one method toggled on (Authentication app or Security key). If everything is off, you don't have 2FA.
How to fix this
  1. On the same page, select "Authentication app"
  2. Scan the QR code with your authenticator app (Google Authenticator, Authy, or your password manager)
  3. Enter the code to confirm

Backup codes saved somewhere safe

If you lose your phone, backup codes are the only way back into your account. Save them in a password manager or print them out.

How to check
  1. Open X Settings > Security > Two-factor authentication
  2. Click "Backup codes". If you've generated them before, you'll see existing codes. If you can find a copy in your password manager or notes, you're good.
  3. If you've never generated them, or you can't find where you saved them, treat this as a no.
How to fix this
  1. On the same page, click "Backup codes" then "Generate backup codes"
  2. Copy or screenshot the codes
  3. Store them in your password manager or a secure note you won't lose

Password Security

Strong unique password (not reused from other sites)

If you use the same password on X as another site, a breach on that site gives attackers your X password too.

How to check
  1. Open your password manager and look up your X / Twitter entry.
  2. If your X password is the same as any other site, or if you can type it from memory (meaning it's simple), it's not strong enough.
  3. No password manager? Then the answer is almost certainly no.
How to fix this
  1. Open X Settings > Change your password
  2. Use your password manager to generate a strong, unique password (16+ characters)
  3. Save it in your password manager

Using a password manager

A password manager (1Password, Bitwarden, Apple Keychain) lets you use strong, unique passwords without remembering them all.

How to check
  1. Do you use 1Password, Bitwarden, LastPass, Dashlane, or Apple/Google's built-in password manager?
  2. Is your X password stored in it? If you log into X by typing a password you've memorised, you're probably not using one for this account.
How to fix this
  1. Download Bitwarden (free) or 1Password
  2. Add your X login details
  3. Generate a new, strong password for X through the manager
  4. Update your X password to the new one

Connected Apps

Reviewed connected apps in the last 90 days

Third-party apps with access to your account can post, DM, or change settings on your behalf. Old or forgotten apps are a common attack vector.

How to check
  1. Open X Settings > Security and account access > Apps and sessions > Connected apps
  2. Look at the list. Do you recognise every app? Do you still use all of them? If you haven't looked at this page in months, mark this as no.
How to fix this
  1. On the same page, review each app listed
  2. Revoke access to anything you don't recognise or no longer use
  3. If in doubt, revoke it. You can always reconnect a legitimate app later.

Revoked access to any apps you don't recognise or use

If in doubt, revoke it. You can always reconnect a legitimate app later.

How to check
  1. Open X Settings > Connected apps
  2. If the list is empty or every app is one you actively use and trust, you're good. If there are apps you don't recognise, mark this as no.
How to fix this
  1. On the same page, click on any app you're unsure about
  2. Click "Revoke access"
  3. Repeat for all unrecognised or unused apps

Account Recovery

Recovery email is current and accessible

If you get locked out, this is how X verifies you. Make sure it's an email you can actually access right now.

How to check
  1. Open X Settings > Your account > Account information > Email
  2. You'll see the email address on file. Is it one you can still log into right now? If it's an old work email or one you've lost access to, mark this as no.
How to fix this
  1. On the same page, click "Update email address"
  2. Enter an email you actively use and can access
  3. Confirm the change via the verification email X sends you

Phone number is current (for account recovery, not 2FA)

A current phone number gives you an extra recovery path if email alone isn't enough.

How to check
  1. Open X Settings > Your account > Account information > Phone
  2. You'll see your phone number (partially masked). Is this still your current number? If there's no number listed, or it's an old one, mark this as no.
How to fix this
  1. On the same page, click "Update phone number"
  2. Enter your current mobile number
  3. Verify with the code X sends via SMS

Login alerts enabled

Get notified when someone logs into your account from a new device or location. Early warning is everything.

How to check
  1. Open X Settings > Security and account access > Security
  2. Look for "Additional password protection" or login notification settings. If login alerts/notifications are toggled on, you're good.
  3. Also check: have you ever received a "new login" email from X? If you've logged in from a new device and didn't get an alert, it's off.
How to fix this
  1. On the same page, enable login notifications
  2. Check your email/push notification settings aren't blocking alerts from X

Session and Privacy

Logged out of devices you don't use

Old sessions on shared or lost devices are a way in. Clean them up.

How to check
  1. Open X Settings > Security and account access > Apps and sessions > Sessions
  2. You'll see a list of active sessions with device types and locations. If the only sessions are devices you currently use, you're good.
  3. If you see old phones, work computers you no longer have, or devices you don't recognise, mark this as no.
How to fix this
  1. On the same page, click "Log out" on any session you don't recognise or no longer use
  2. Or use "Log out all other sessions" to clean up everything at once (you'll stay logged in on your current device)

Checked for unfamiliar login locations

If you see sessions from countries you've never been to, someone else may have access.

How to check
  1. Open X Settings > Sessions
  2. Look at the location shown for each session. Do they all match places you've actually been? VPNs can show different locations, so account for that.
  3. If there's a session from a country you've never visited and you don't use a VPN, someone else may have access.
How to fix this
  1. If anything looks wrong: immediately click "Log out all other sessions"
  2. Then change your password
  3. Then enable 2FA if you haven't already

DM settings reviewed (who can message you)

Open DMs make phishing easier. Consider limiting who can DM you to reduce attack surface.

How to check
  1. Open X Settings > Privacy and safety > Direct messages
  2. Check whether "Allow message requests from everyone" is on or off. If it's on, anyone can DM you, including phishing attempts.
  3. This is a judgement call. If you need open DMs for networking, that's fine. Just make sure you've consciously chosen it rather than left it on by default.
How to fix this
  1. On the same page, toggle off "Allow message requests from everyone" if you don't need it
  2. You'll still receive DMs from people you follow and people who've messaged you before

Account Already Compromised?

If you think someone else has access to your account, do these things now:

  1. Reset your password immediately from a device you trust
  2. Revoke access to all unrecognised apps in Settings > Connected apps
  3. Log out of all sessions in Settings > Sessions
  4. Enable or reset 2FA using an authenticator app, not SMS
  5. Contact X Support at help.x.com
  6. Check your email account security too. Your X recovery email may also be compromised.