·  ·  · 

X Login Outage: Security Key Switch to X.com Locks Out Users as Twitter.com Finally Dies (November 13, 2025)

November 13, 2025
by
X Login Outage: Security Key Switch to X.com Locks Out Users as Twitter.com Finally Dies (November 13, 2025)

Millions of X (formerly Twitter) users who did “everything right” for account security have spent the last 24 hours locked out, stuck in endless two‑factor authentication loops and greeted by a confusing message:

“You must re‑enroll your YubiKey.”

The glitch is tied directly to Elon Musk’s long‑running effort to erase the last traces of twitter.com and move logins fully to x.com — a brand and domain transition critics already saw as one of the messiest rebrands in tech. [1]

Here’s what happened, what’s new today (November 13, 2025), and what you can do if your X account is currently trapped in authentication hell.

What happened: X’s security key switchover goes sideways

On October 24–27, X quietly warned users that if they used a hardware security key (like a YubiKey) or passkey for two‑factor authentication (2FA), they had to re‑enroll it for the new x.com domain by November 10, 2025, or risk being locked out. [2]

X’s Safety team stressed at the time that:

  • The change was “not related to any security incident,”
  • It only affected security keys and passkeys,
  • And it was needed because those keys are cryptographically tied to twitter.com, which X wants to retire. [3]

Security outlets like BleepingComputer and The Register explained that once twitter.com is gone, keys bound to that domain simply won’t work — so they must be re‑registered against x.com. [4]

That was the plan.

The reality arrived this week.

November 12–13: YubiKey error and infinite login loops

Starting late November 12 (US time) and rolling into the early hours of November 13, 2025, X users began reporting that they could no longer log in on web or mobile:

  • After entering their password, they were told they “must re‑enroll [their] YubiKey” to associate it with x.com. [5]
  • When they tried to follow the instructions, the flow simply… looped.
  • Some never owned a YubiKey at all, but were still forced into the same “re‑enroll your YubiKey” screen. [6]

Android Central, Windows Central and TechCrunch all documented the same pattern: a global login issue for accounts tied to security keys or passkeys, often resulting in a verification dead‑end or outright lockout even when users followed the instructions correctly. [7]

Security‑focused outlet The Tech Buzz described it bluntly as a “security key migration” gone wrong that turned domain housekeeping into “authentication hell” for the platform’s most security‑conscious users. [8]

Today’s update (November 13, 2025): Partial recovery, lingering chaos

New reporting and user posts today suggest the worst of the outage is easing — but not everyone is back in yet.

Newsrooms: Issue confirmed, X still mostly silent

  • NewsBytes reports that X is “facing a major issue after a mandatory two‑factor authentication change,” leaving users “caught in endless loops or completely locked out,” and notes that X has not publicly commented on the glitch. [9]
  • Storyboard18 likewise describes a “botched security update” that locked out users or trapped them in login loops — again emphasizing that X has offered no official explanation while Elon Musk continues posting normally from his own account. [10]
  • Tech Buzz updated its story this morning to reflect continued authentication failures and ongoing lack of a formal statement from X. [11]

TechCrunch notes that X “did not respond to a request for comment,” even as its own login coverage detailed endless loops and widespread lockouts after the November 10 deadline. [12]

User reports: rollback in progress, but not universal

Windows Central’s live blog, citing internal sources, reported on November 12 that X’s engineers were rolling back recent changes, and by mid‑afternoon the writer was able to log back in while outage reports on DownDetector began trending down. [13]

On Reddit’s r/Yubikey and r/Twitter communities, users describe: [14]

  • Global issues with X’s YubiKey/passkey login flow.
  • Confusing prompts to “re‑enroll your YubiKey” even for people who only used passkeys or authenticator apps.
  • A wave of comments early today like “I’m back in” and “Fixed for both my accounts”alongside others saying they’re still locked out.

One widely shared Reddit comment references a post from a verified X engineer stating that the “security key login issue should be resolved soon,” but the fix is clearly rolling out unevenly: some accounts work again, others are still stuck in the loop. [15]

Bottom line for November 13:

  • The outage is improving but not fully over.
  • There is still no detailed, public post‑mortem from X.

Who is affected — and who isn’t?

Based on reports across today’s coverage and user posts: [16]

Most affected:

  • Accounts that ever set up:
    • A hardware security key (YubiKey or similar), or
    • A passkey (platform authenticator using Face ID, Touch ID, Windows Hello, etc.)
  • Especially users whose keys were originally registered back when the service still used twitter.com for logins.

Mostly unaffected (so far):

  • Accounts using app‑based authenticators (TOTP apps),
  • Accounts using SMS or email codes for 2FA,
  • Accounts with no 2FA (though that is strongly discouraged for security).

Ironically, the people who invested in the strongest protections — hardware tokens and passkeys — have been punished the most by this botched migration. Several user reports also suggest that some non‑key users were swept into the error by a buggy login flow that didn’t correctly detect their setup. [17]

Why the twitter.com → x.com switch broke login

To understand the outage, you have to understand how security keys and passkeys work.

Unlike passwords, WebAuthn/FIDO2 security keys and passkeys are tied to a specific domain. When you first registered a key for twitter.com, it cryptographically locked itself to that exact origin. [18]

So when X decided to finally kill off the old domain and move logins fully to x.com:

  1. Keys registered to twitter.com stopped matching the new domain.
  2. X therefore required users to un‑enroll and re‑enroll them for x.com.
  3. The re‑enrollment flow itself appears to have been broken, causing:
    • Infinite loops back to the “re‑enroll your YubiKey” screen,
    • Login prompts for YubiKeys on accounts that only used passkeys or apps,
    • Users unable to reach the settings page where the change must be made. [19]

X Safety previously reassured users that this was simple maintenance and “not related to any security concern,” but the execution clearly failed basic reliability expectations: security migrations are supposed to make people safer, not log them out en masse. [20]

Is this a hack or data breach?

There is no evidence so far that this incident is a hack, breach, or external cyberattack.

  • X’s own October clarifications framed the key reset as a domain migration, not an incident response. [21]
  • Current reporting from NewsBytes, Storyboard18, TechBuzz, TechCrunch and others all connect the outage to a failed implementation of the planned security key migration, not to a compromise of X’s systems. [22]

That said, X has not yet shared a detailed technical explanation, so outside observers are still piecing together the root cause from behavior and leaked internal comments.

What to do if you’re locked out of your X account

If you’re currently stuck in the YubiKey/passkey loop, here are practical steps drawn from X’s own earlier guidance and security experts’ recommendations. [23]

1. Try from a device where you’re already logged in

If you still have an active X session on:

  • A phone,
  • A tablet, or
  • Another browser profile,

use that logged‑in session to:

  1. Go to Settings → Security & account access → Security → Two‑factor authentication.
  2. Temporarily disable the old security key/passkey entry that references twitter.com.
  3. Add a backup 2FA method (authenticator app or another hardware key) if you don’t already have one.
  4. Re‑enroll your YubiKey/passkey for x.com only when the migration issues are clearly resolved.

2. Check other 2FA options

Some users report they can still get in via: [24]

  • An authenticator app they previously set up,
  • SMS or email codes,
  • A backup hardware key.

If you can authenticate with one of those, go straight to settings and verify:

  • Which security keys are listed,
  • Whether your key is now bound to x.com,
  • And that you have at least one working backup method.

3. Use X’s account recovery form

If no login method works and you’re completely locked out, your only official path is to contact X support via its “regain access to your account” form, which multiple users on Reddit say they’ve resorted to. [25]

This process can be slow and there’s no guarantee of success, but it’s the only legitimate recovery route X offers if 2FA is broken.

4. Avoid disabling 2FA entirely (if you can help it)

X’s own warnings before the deadline said that after November 10 you could: [26]

  • Re‑enroll your key or passkey,
  • Switch to a different 2FA method, or
  • Disable 2FA altogether (which they themselves “strongly discourage”).

Unless you absolutely must get back in immediately and have no other options, try not to permanently disable 2FA. Doing so exposes your account to phishing, password reuse and SIM‑swap attacks — the very threats security keys are meant to prevent.

If you temporarily weaken your security to regain access, plan to:

  1. Add an authenticator app or backup key immediately, and
  2. Re‑enable strong 2FA as soon as X’s login systems are stable.

5. Watch out for phishing emails and fake “support”

Incidents like this are a magnet for scammers. Be wary of:

  • Emails claiming to be from “X Security” asking you to “fix” your key,
  • Direct messages offering to restore your account for a fee,
  • Links that look like x.com but aren’t (extra characters, weird subdomains, etc.).

If you’re going to click anything, type x.com yourself into the browser and navigate via the official interface rather than trust links in messages.

One last stumble for X’s long, messy rebrand

From a branding perspective, this outage is symbolically brutal.

  • Design site Creative Bloq recently called Musk’s X makeover “one of the messiest rebrands of the decade,” noting that people still instinctively refer to the platform as “X, formerly known as Twitter” more than two years later. [27]
  • That piece pointed out that one of the last technical remnants of Twitter — the twitter.com URL — was finally being retired, with logins redirecting fully to x.com.

Now, the very act of burying twitter.com has dragged the old brand back into headlines, as users complain that “Twitter messed up again” while trying to fix the last traces of… Twitter. [28]

For critics, this incident fits a pattern they’ve highlighted since Musk’s acquisition: aggressive, top‑down changes rolled out at high speed, with pared‑down engineering teams and seemingly limited safety nets. Numerous outlets today explicitly frame the outage as the latest in a series of operational stumbles since the $44 billion takeover. [29]

Does this mean passkeys and security keys are a bad idea?

Short answer: no — but it’s a warning about how you deploy them.

Reports from BleepingComputer, The Verge and The Register all emphasize that hardware keys and passkeys remain some of the most secure forms of authentication available today. They dramatically reduce phishing risk because they will only respond on the exact domain they were registered to. [30]

What went wrong here wasn’t the underlying technology. It was:

  • Poorly handled migration planning (forcing re‑enrollment against a hard deadline),
  • A buggy re‑enrollment flow with no reliable fallback,
  • Weak communication during the outage, leaving users to debug security failures in public. [31]

For other platforms watching this play out, the lesson is clear:

If you’re going to move millions of users to a new domain with hardware‑bound credentials, you need bulletproof testing, gradual rollout and robust recovery paths.

FAQ: X security key outage, November 13, 2025

What triggered X’s login outage?
A forced migration of security keys and passkeys from the twitter.com domain to x.com, combined with a broken re‑enrollment flow that trapped users in YubiKey/passkey loops and blocked access to account settings. [32]

Who was most affected?
Users who had configured hardware security keys or passkeys for 2FA, especially those whose keys were originally registered when logins still used twitter.com. Many of them were temporarily or still completely locked out. [33]

Is the issue fixed now (November 13, 2025)?
Reports from Windows Central and Reddit show that many users can log in again after X apparently rolled back parts of the change, but others remain stuck, and X has not issued a detailed public post‑mortem. [34]

Did X get hacked?
There’s no public evidence of a hack or data breach. X and independent security reporting attribute the incident to a botched internal security key migration, not an external attack. [35]

Should I turn off 2FA on my X account?
Only as a last resort. Turning off 2FA makes your account much easier to compromise. If you must weaken security to regain access, add an authenticator app or backup key and turn strong 2FA back on as soon as X’s systems stabilize. [36]

As of November 13, the crisis is slowly unwinding, but the damage to user trust — and to the already controversial X rebrand — may last much longer than the outage itself.

How to fix Xbox not signing in to your account (check service status in Xbox assist) 0X87DD0033
Watch this video on YouTube.

References

1. www.creativebloq.com, 2. www.theverge.com, 3. www.theverge.com, 4. www.bleepingcomputer.com, 5. www.androidcentral.com, 6. www.reddit.com, 7. www.androidcentral.com, 8. www.techbuzz.ai, 9. www.newsbytesapp.com, 10. www.storyboard18.com, 11. www.techbuzz.ai, 12. techcrunch.com, 13. www.windowscentral.com, 14. www.reddit.com, 15. www.reddit.com, 16. www.newsbytesapp.com, 17. www.androidcentral.com, 18. www.theverge.com, 19. www.techbuzz.ai, 20. www.theregister.com, 21. www.theregister.com, 22. www.newsbytesapp.com, 23. www.bleepingcomputer.com, 24. www.androidcentral.com, 25. www.reddit.com, 26. www.bleepingcomputer.com, 27. www.creativebloq.com, 28. www.creativebloq.com, 29. www.techbuzz.ai, 30. www.bleepingcomputer.com, 31. www.techbuzz.ai, 32. www.newsbytesapp.com, 33. www.techbuzz.ai, 34. www.windowscentral.com, 35. www.theregister.com, 36. www.bleepingcomputer.com

Mateusz Brzeziński

Technology News

  • Google app rolls out Pinterest-like Images tab to all US users
    November 14, 2025, 12:52 AM EST. Google is rolling out a Pinterest-like Images tab in the Google app to all US users on Android and iOS. The new tab adds a personalized image feed based on your interests, letting you browse, save to collections, or search for more inspiration. You can long-press images to share, save, or hide them, and use Google Lens for quick visual searches. When you first open Images, you'll select topics of interest to tailor the feed, which draws from publicly available images in Google Search. The tab sits alongside Home, Search, Notifications, and Activity, and the rollout will continue over the coming weeks. There's no word yet on global availability.
  • OnePlus 15 Review: Bold Redesign, Power-Packed Performance, and Enduring Battery
    November 14, 2025, 12:50 AM EST. OnePlus 15 marks a notable shift for the brand, trading the Hasselblad partnership for a design- and performance-focused approach. The OnePlus 15 debuts a squircle design, drops the beloved alert slider in favor of a customizable shortcut button, and centers on raw power, gaming performance, and extended battery endurance. It sports flat sides and ultra-slim bezels aided by a low-injection-pressure over-moulding process that maximizes screen real estate. The new Sand Storm finish uses micro-arc oxidation to deliver a ceramic-grade coating that's tougher and more fingerprint-resistant. Available in Infinite Black and other colors, it blends striking aesthetics with practicality, signaling a year of focused performance-even if branding shifts away from Hasselblad.
  • Is MP Materials the Next Nvidia? Scarcity, Rare-Earths, and U.S. Supply Chains
    November 14, 2025, 12:48 AM EST. MP Materials has surged about 250% this year as demand for rare-earth magnets-vital in motors, EVs, and speakers-remains strong. Its Mountain Pass mine in California positions MP among the few U.S. sources of rare-earth metals, underscoring a domestic-supply narrative amid China's dominance. The piece draws a parallel to Nvidia, not for products but for scarcity's role in value: Nvidia's AI-driven chips versus MP's scarce input metals. Yet MP is a capital-intensive mining company exposed to commodity cycles, unlike Nvidia's high-margin software and AI growth. Policy support, including a $400 million push from the Trump administration, underscores the urgency of U.S. independence from Chinese imports. In short, MP resembles a mining analogue to Nvidia, but the core risks and economics diverge.
  • Apple's iPhone Pocket Draws Mockery as $230 Fabric 'Sock' in Issey Miyake Collaboration
    November 14, 2025, 12:46 AM EST. Apple's new iPhone Pocket, a limited-edition fabric sleeve created with Issey Miyake, is drawing skepticism for its fabric sock-like design and hefty price tag of $230. Short strap costs $149.95 and long strap $229.95. Critics call it a fashion accessory rather than a protective case, highlighting concerns about security and theft as the device slips into a ribbed textile bag. Apple touts it as a 'beautiful way to wear and carry iPhone' and notes its 3D-knitted construction, but online response ranges from amusement to incredulity as markets in the US, UK, France, and beyond prep for limited release.
  • FAA Issues Emergency Order: Commercial Space Launch Hours Restricted to 10 PM-6 AM
    November 14, 2025, 12:40 AM EST. After ending the federal shutdown, the FAA issued a new Emergency Order replacing the November 7 one, taking effect at 6:00 AM today. Beginning November 13, 2025 at 6:00 AM EST, commercial space launches and re-entries are limited to the hours between 10:00 PM and 6:00 AM local time until further notice. The restriction aims to accommodate reduced ATC services and protect the safety and efficiency of U.S. airspace during a period of staffing strain. Policy questions loom: will the FAA lift or modify the rule as ATC stabilizes? How resilient is the air-traffic system for growing space activity? Should there be separate contingency mechanisms or dedicated corridor management, and who pays for any changes?