What to do if an employee hijacks your Twitter account

TIP: For a quick fix for most hijacked account problems, see http://bit.ly/BlockBadApps. (Scroll down to “What to do: Worst-case scenarios” if you want to get right to the tips.)

Most hijacked accounts are taken over by automated systems which expect to be kicked out eventually (see “How bad Twitter links & apps can trick you“). In the meantime they send spam or scams out under your name. Remember to delete tweets or DMs that weren’t sent by you when you’re done regaining control of your account!

But a hijacker who is dedicated to controlling your account has a number of options at their disposal that are difficult to deal with.

Let’s say they are connected to your account via a mobile app that you also use on your desktop AND have your password. Revoking the app won’t kick them out, because they can login and reauthorize the app. Changing the password won’t help (at least not immediately) because the app they are using is still authorized on your account. Even revoking the app and then changing the password can fail, if you leave a gap long enough after you revoke the app before you change the password for them to quickly login and reauthorize.

Rule #1: Never give anyone the password to your Twitter account

You never need to give it to anyone. They can access your account via an app if they need to use your Twitter account when you want them to.

If they have an app on their mobile or computer that is authorized to connect to your Twitter account, you can always simply revoke it at  http://j.mp/YourTwitterApps. But if they have your account password, they can always login to Twitter.com and then reauthorize the app.

Plus, if they have your password, they can login to Twitter.com and change the password and the email address, locking you out of your account. Why would they change the email address? Because Twitter uses that in order to send you a password reset if you ever forget your password—or if someone changes it without your permission.

Rule #2: Link your phone to Twitter

Doing this could save your account if you lose your email and password. See How to Add Your Phone to Twitter.

Rule #3: Secure your email address from employee problems

If your employee was able to send email from the email address you use in your Twitter account, you will have to lock them out from using email. How to do this can vary widely from company to company, but it can be as simple as changing passwords

► What to do: Worst-case scenarios

TIP: If an employee (or anyone) has installed malware on your computer in order to steal your information, you will have to find and remove the malware before anything else you do can work. 

After securing your email address from employee access (thanks to @caitriona for pointing this out), read the following tips.

Some apps have you create a personal account just for that app, and then have you authorize your Twitter account once you are set up. Most that do this are team apps, that help you control multiple people accessing the app. This can complicate recovering your account. Here’s what you need to know:

1. If you still can login at Twitter.com and all apps that have their own logins

You’ll want to follow these steps, in this order:

1. Login to Twitter.com and change your password.
2. Login to each app that you need to use that has its own account and change its password.
3. Revoke all apps at http://j.mp/YourTwitterApps. (You may want to copy/paste the names of ones you will be reauthorizing after you’re done.)

Don’t revoke the apps first! If they’re using one of them, they will get a notification of being revoked, and probably try to login and reauthorize.

2. If you still can login at Twitter.com but can’t login to an app that has its own login

Contact the provider of the app you are having trouble with to try to regain access. When that results in a solution:

1. Login to Twitter.com and change your password.
2. Login to each app that has its own account and change its password.
3. Revoke all apps at http://j.mp/YourTwitterApps. (You may want to copy/paste the names of ones you will be reauthorizing after you’re done.)

3. If you can’t login at Twitter.com

If they have changed your password, but not your email address or phone connection (provided you have set one up), requesting a password reset from Twitter will give you access to your account again, and you can then follow the steps above.

4. If you are unable to log into your Twitter.com account and are unable to receive a password reset email

You will need to submit a help request by selecting ‘Password or login problems’ from the ‘Regarding’ drop-down menu here. Provide this information:

• Your username
• The email address you think is associated with your account
• The phone number you think is associated with your account

5. If you are unable to access Twitter’s web submission form

First, try to by going here. If you can’t connect to it, you will be redirected to a Twitter login page. If you are unable to login,

1. Click the link in the lower-right corner of the page (it says “No account? Can’t login?”). This lets you email the Support team directly.
2. In the “Email” field, be sure to type the address associated with your account.
3. In the subject line of the email, please write ‘Password issues – Cannot log into my account’, and include a description of your problem plus:
4. Your username
5. The email address you think is associated with your account
6. The phone number you think is associated with your account

What happens after you contact Twitter support?

You may have to wait more than a day. Tickets are handled in the order received, and sometimes Twitter is overwhelmed with requests. But most important, be sure to read “Why Twitter closed your support request without reading it.”

What should you do in the future?

Read Twitter’s tips for keeping your account secure! Also, help other people who may have had their Twitter accounts hijacked. Don’t just block someone for sending spam if you have a suspicion their account may have been taken over. Check the messages being sent from hijacked accounts to see if what you are looking at is more likely a hijacked account, or more likely simply a spammer.