X is killing “twitter.com” Update your account settings to avoid lockout.

X’s long goodbye to Twitter is over. The company says the twitter.com domain is being retired and certain users must take a simple security step or lose access. The deadline is November 10, 2025. If you sign in with a hardware security key such as a YubiKey or a passkey, you need to re-enroll that factor under x.com.

What’s changing, and why it matters

Security keys and passkeys are bound to a domain for anti-phishing reasons. Many were enrolled years ago under twitter.com, so they will stop working once X completes the cutover to x.com.

X’s Safety team has said this is not due to a breach, and it does not affect authenticator-app codes or SMS. If you do nothing and you use keys or passkeys, your account will be locked until you update the setting.

To clarify: this change is not related to any security concern, and only impacts Yubikeys and passkeys – not other 2FA methods (such as authenticator apps). Security keys enrolled as a 2FA method are currently tied to the twitter[.]com domain. Re-enrolling your security key will… https://t.co/PlXOTnNXPM
— Safety (@Safety) October 26, 2025

Who must do something today

People who use hardware security keys for 2FA
People who use passkeys on iOS, Android, or desktop
If you rely only on an authenticator app or SMS, this change does not apply. Keeping 2FA enabled is still strongly recommended.

How to fix it in under a minute

Go to your account’s Two-factor authentication settings in settings.
Remove or disable the existing security key or passkey that was tied to twitter.com.
Re-enroll the same key or add a new one so it is associated with x.com.
If you miss the deadline and get locked out, you can re-enroll a key, switch to another 2FA method, or temporarily disable 2FA to regain access. Disabling 2FA is not recommended.

What’s being reported, plus what we can add

CNET flagged the retirement and the lockout risk in a recent explainer. Additional reporting across news outlets fills in useful details:

Scope and timing: X set Nov. 10, 2025 as the action-by date for key and passkey users. Other outlets note this is one of the final steps in erasing the old brand.
Not a breach: X’s Safety account explained the re-enrollment requirement stems from the domain switch rather than a compromise.
Edge cases and knock-on effects: Expect ripple effects for legacy links and embeds that still reference twitter.com, plus headaches for tools and bots that hard-coded the old domain. Developers may need to reconfigure integrations.
Inactive accounts: Some reporting has speculated that non-compliant and clearly abandoned accounts could face additional enforcement. Organizations that parked handles should verify access and update security factors now.

What this means for organizations

Audit who on your team uses hardware keys or passkeys for X. Re-enroll those factors under x.com, and update any internal runbooks or IT docs that still reference twitter.com. If you publish embeds or auto-post links, test them under x.com and plan redirects where needed. Treat this as routine identity and link hygiene, not a security panic.

Bottom line: If you use a hardware key or a passkey, re-enroll it under x.com before Nov. 10, 2025 to avoid a temporary lockout. For everyone else, the main change is the URL in the address bar.