Have you used a social media site or app today? Facebook, Instagram, Twitter, Pinterest, Snapchat, LinkedIn, etc.? How many times? How many sites or apps have you used? You don’t need me to tell you that social media use has skyrocketed over the last 10 years. With it has come a multitude of threats to security and privacy. Let’s look at 15 of those threats, and how to defend against them.
Note: this page contains affiliate links. Please see Affiliate Disclosure.
1. Insecure Accounts
Could the passwords to your social media accounts be easily guessed by those who know you? Are they made up of common dictionary words, with maybe a number or two tacked onto the end? Are the username and password all that are required to log into your accounts? If so, you’re inviting hackers to target you.
2. Malicious Messages
Just as emails can contain malicious links and attachments, so can messages in social media sites and apps.
Many social media messaging systems have read receipts (or their equivalent), telling the sender that you’ve read the message they sent you. These reveal behavioral patterns about when (and maybe where) you check messages.
3. Location Sharing
If you share your location on social media (automatically or manually), you reveal that you’re away from home and possibly other information that could put your money, possessions, or safety in danger. Even if you share your location only after you’re safely home, you reveal information about your behavior (places you frequently visit, times you commonly travel, etc.) that could be used against you.
Criminals monitor social media to see when you’re on vacation, then they may contact your elderly relatives to tell them you’ve been in an accident and that they need to send money for your treatment.
4. Revealing Photos
If you post post pictures of credit cards, identification cards and badges, plane tickets, boarding passes, passports, or other items that contain sensitive data, you could put your money, possessions, or safety in danger.
5. Exposing Date of Birth
Is your birth date in your profile? If so, you increase your risk of identity theft. Scammers, fraudsters, and identity thieves can wreak havoc with just your name, date of birth (DOB), and address.
6. Revealing Bio
Your bio may contain a lot of personal info about your family, relationships, employers, places you’ve lived, etc. Sometimes that info is visible to the public; other times it’s visible only to friends/connections. A bad actor could learn a lot about you from your bio; could they learn enough to scam you, or answer security questions on your financial or medical accounts?
7. Unfriendly “Friends”
When you accept a friend on Facebook, a connection on Linked, or the equivalent or other platforms, they instantly get access to a lot of your personal info. Are you sure that all your friends/connections are who they say they are, and that they don’t mean you harm? And if that friend/connection is legitimate, and their account gets hacked, then that hacker gets access to your personal info!
8. Staying Logged In
If you use someone else’s device (computer, phone, tablet, etc.) to log into your account, and just close the tab or browser when you’re finished, then the owner of that device will be able to come back later and use your account as you.
9. Social Logins
Some websites save you the hassle of creating a separate username and password by letting you log in with a social media account. If you do, and if someone hacks the social media account you used, they gain access to that website and any others you set up with that social media login.
10. Trusting Third Parties
If you allow a third-party app or account to connect to your social media account, you may forget about it and unwittingly grant it access to your social media data for years. That third party could share your data with others, or be hacked.
Many social platforms personalize ads by default. That means the platform collects data about you (from within the platform and even other sites and apps you use) to show you ads that are tailored to who you are and what you like. Sometimes the platform shares that information with its partners, too.
12. Public Means Public
If you participate in a public group (such as a Facebook group), then anyone on that platform can enter the group, see that you’re a member, and see your activity (posts, comments, likes, etc.). Do you ever share personal info in a public group? A bad actor could learn enough to scam you or answer your security questions.
13. Tell Me About Yourself
Have you joined groups, or indicated your interests by liking or following them? Sometimes that info is visible to the public; other times it’s visible only to friends/connections. A bad actor could learn a lot about you from observing your groups and interests, and use that info to scam you.
14. Abandoned Accounts
Think back over the last 10 years. How many social media accounts have you created? How many are you still using? How many have you abandoned? Have you closed or deleted those accounts, or are they still out there? Hackers target unused social media accounts and use them to post malicious content or even gain access to your other linked accounts.
15. Privacy? Here?
Do you expect the companies that run social media platforms to respect your privacy? Did you know that in the US, such platforms are considered public spaces, not private ones, and that any info shared there is covered under third-party doctrine? This means you have no reasonable expectation of privacy related to the data that service providers collect on you.
The more time you spend on social media, the greater your vulnerability to hacking. Every picture you post, every quiz question you answer, every experience you recount, every shred of personal information you willingly share with “friends” increases the area of your attackable surface.
How to Increase Your Security & Privacy
Let’s go through each of those 15 threats and see how to be safer on social media.
1. Secure Your Accounts
Make sure that every account has a different, long, complex password (20+ characters, with a mix of uppercase, lowercase, numbers, and special characters). I recommend using a password manager, such as LastPass, to create and store your password.
Enable two-factor authentication (sometimes called security codes, two-step verification, 2FA, or multi-factor authentication). When you do, avoid the SMS/text option if possible. It’s better to use a hardware key (I like YubiKey – Amazon aff. link) or an authenticator app such as Authy (that’s what I use) or Google Authenticator. Create backup codes and store them somewhere secure; I use the Notes field of the entry in LastPass.
Regularly review each account’s security and privacy settings, because they change over time. Regularly take any security and privacy “checkups” offered by the platform.
2. Be Careful with Messages
Just as you need to be careful about clicking links and opening attachments with email and other messages, you must be careful about clicking links and opening attachments in messages on social media.
I like to disable read receipts (or their equivalent). I’m not a fan of read receipts in any messaging platform, because I don’t like people knowing when I’ve read their message. It reveals behavioral patterns about when (and maybe where) you check messages.
3. Disable Location Sharing
Disable location sharing in all social media apps. Don’t post about travel until you’re home, and even then, be careful about what details you share. You don’t want to reveal too much about your behavior (places you frequently visit, times you commonly travel, etc.) that could be used against you.
4. Be Careful with Photos
Don’t post post pictures of credit cards, identification cards and badges, plane tickets, boarding passes, passports, or other items that contain sensitive data.
Every time you post a photo (or anything!), use any controls that may be available to choose who can see the post. Use the smallest audience necessary. Be extremely careful about anything that you make public, as that makes it visible to the world.
5. Hide Date of Birth
Don’t put any part of your birth date (month, day, or year) in your profile. Don’t post about your birthday. If you insist on showing your birthday, ensure that no one can see your birth year, and only friends/connections can see the month and day. Learn more about protecting your birth date online.
6. Beware with Your Bio
Be very careful what you put in your bio. Don’t reveal too much personal info.
7. Verify “Friends”
When you receive a friend/connection request, it’s a good idea to verify the person’s identity. You want to confirm that they are the actual owner of the account, and that they really sent you a friend request (rather than someone who hacked their account, or an imposter account). You can do that by asking them in person, or through some other trusted channel that you’ve previously used to communicate with them (email, other social media, text/SMS, phone, etc.). Or you could ask a trusted mutual friend to confirm their identity.
8. Log Out of Others’ Devices
If you use someone else’s device (computer, phone, tablet, etc.) to log into your account, be sure to log out when you’re finished! If you forget, log into your account from one of your own devices and look through the settings for sessions or logins, for a way to log out remotely.
9. Don’t Use Social Logins
Don’t use the social login option to log into other websites! Yes, it’s more work to create separate logins for each site, but remembering the logins doesn’t take any extra effort if you use a password manager (I like LastPass).
10. Be Careful with Third Parties
Think carefully before you grant a third party access to your social media account. Be sure you know what permissions the third party will have (what data they’ll receive, and what they can do with your account). Regularly review the third-party apps and accounts that have access, and remove those that are no longer needed.
11. Opt Out of Personalized Ads
Opt out of personalized ads whenever it’s an option, to limit the amount of data that the social media platform and its partners collect and share about you.
12. Be Careful with Groups
If you participate in groups on social media, pay attention to the group types. Groups can be public or private, though they may have different labels. Each type has different privacy settings. Be especially careful what you post or comment in a public group, because of how many people can see your activity. But even in so-called private groups, be aware that other group members can copy and paste and take screenshots to share your activity with others outside the group. And the social platform can also see activity inside private groups.
13. Be Wary of What Groups and Interests Reveal
Be very careful what groups and interests you make visible through your liking or following them. Don’t reveal too much personal info. Some platforms let you hide groups or interests, so take advantage of that.
14. Delete Unused Accounts
Close/delete any social media account that you’re not using. If you’re claiming an account for future use, set it to private (if possible), or pause/suspend it (if possible), or follow it from one of your active accounts, or log into it regularly to watch for suspicious activity.
15. Be Privacy-Minded
Don’t expect complete privacy on social media, only degrees of privacy. Assume that everything you post on social media is permanent; you may delete something, but the social media company may still store it for years, and other users or companies may save their own copies.
When you create an account, don’t provide more information than is necessary. Are you sure you want to use your real name? Some companies have policies that require that, but not all.
These slides contain a summary of this post.
- Cybersecurity & Privacy Guides (defendingdigital.com)
- Protecting Yourself on Social Networks (eff.org)
What You Should Do
- Secure your accounts.
- Be careful with messages.
- Disable location sharing.
- Be careful with photos.
- Hide date of birth.
- Beware with your bio.
- Verify “friends.”
- Log out of others’ devices.
- Don’t use social logins.
- Be careful with third parties.
- Opt out of personalized ads.
- Be careful with groups.
- Be wary of what groups and interests reveal.
- Delete unused accounts.
- Be privacy-minded.