Table of Contents
Social media accounts are among the most targeted online accounts for a simple reason: they are valuable. A compromised social media profile gives an attacker access to your personal information, your connections, and a trusted identity they can use to scam your friends and family. Securing these accounts is a critical part of your digital privacy and online safety strategy.
The challenge with social media security is that these platforms are designed to encourage sharing. Every privacy setting you enable works against the platform’s business model, which depends on collecting and monetizing your data. This creates a constant tug-of-war where platforms periodically introduce new features that default to maximum visibility, requiring you to actively opt out. Staying secure on social media is not a one-time configuration – it is an ongoing practice.
Universal Principles for All Platforms
Before diving into platform-specific guidance, these principles apply everywhere:
Use Strong, Unique Passwords
Every social media account needs its own unique password. If your Instagram password is the same as your email password, a breach at Instagram gives attackers access to your email – and through your email, to everything else. A password manager makes unique passwords practical. PanicVault can store all your social media credentials and autofill them on your iPhone, iPad, and Mac using system-wide AutoFill, so strong unique passwords do not mean friction.
Enable Two-Factor Authentication
Two-factor authentication is the single most effective security measure you can enable on any account. Even if someone obtains your password, they cannot log in without the second factor.
For social media, prefer these methods in order:
- Hardware security key (YubiKey or similar) – Phishing-proof
- Authenticator app (built into your password manager or a standalone app) – Strong and convenient
- SMS codes – Better than nothing, but vulnerable to SIM-swapping attacks
Avoid using SMS as your only second factor on high-value accounts. Attackers have demonstrated the ability to hijack phone numbers through social engineering of mobile carriers.
Review Connected Applications
Over the years, you have probably granted access to dozens of third-party apps through social login (“Sign in with Facebook/Google”). Each of these connections is a potential entry point. Review and revoke access for any application you no longer use or do not recognize.
Limit Personal Information in Your Profile
Your profile information – birthday, phone number, email, hometown, employer – is used for targeted advertising and can be exploited for social engineering, password reset attacks, or identity theft. Remove any information that is not essential for how you use the platform.
Be Cautious With Direct Messages
Many phishing attacks now happen through social media DMs rather than email. Be wary of messages with links, especially from accounts you do not know well. Even messages from friends could be from compromised accounts.
Platform-by-Platform Security Guide
Facebook is the most data-rich social media platform for most people, often containing years of posts, photos, friend connections, and personal details.
Security settings (Settings > Security and Login):
- Enable two-factor authentication with an authenticator app
- Turn on login alerts to get notified when someone logs in from a new device or location
- Review “Where You’re Logged In” and log out of any sessions you do not recognize
- Set up 3-5 trusted contacts who can help you regain access if you are locked out
Privacy settings (Settings > Privacy):
- Set “Who can see your future posts?” to Friends (not Public)
- Set “Who can see your friends list?” to Only Me
- Disable “Allow search engines outside of Facebook to link to your profile”
- Review your timeline and tagging settings – enable review of posts you are tagged in before they appear on your timeline
- Limit who can send you friend requests to “Friends of friends”
Data minimization:
- Download your Facebook data archive (Settings > Your Facebook Information) to see what Facebook has collected about you
- Remove your phone number if you are not using it for 2FA (use an authenticator app instead)
- Review and remove old posts using the “Manage Activity” tool
- Review and revoke permissions for third-party apps (Settings > Apps and Websites)
Instagram shares Facebook’s underlying infrastructure (both are Meta properties), so some settings overlap.
Security:
- Enable two-factor authentication (Settings > Security > Two-Factor Authentication)
- Review login activity and log out of unrecognized sessions
- Be extremely cautious with DMs from unknown accounts – Instagram is a primary vector for scams and phishing
Privacy:
- Set your account to private if you do not need a public presence
- Disable “Similar Account Suggestions” to prevent your profile from being recommended to strangers
- Review and restrict who can message you, mention you, and tag you
- Disable “Activity Status” to prevent others from seeing when you are online
X (formerly Twitter)
Security:
- Enable two-factor authentication (Settings > Security > Two-Factor Authentication) – note that X removed SMS-based 2FA for free accounts, so use an authenticator app
- Review connected apps and revoke access for any you do not recognize
- Review active sessions and log out of unused devices
Privacy:
- Protect your tweets if you want to limit visibility to approved followers
- Disable “Discoverability” options – uncheck “Let people who have your email find you” and the same for phone number
- Turn off “Personalize based on your inferred identity” and other ad personalization settings
- Review and delete old tweets if they contain personal information you no longer want public
LinkedIn is often overlooked in security discussions because it is a professional platform, but it contains valuable information for social engineering – your employer, job title, professional connections, and career history.
Security:
- Enable two-step verification (Settings > Sign in & Security)
- Review active sessions regularly
- Be cautious about connection requests from people you do not know – LinkedIn is heavily targeted by spear-phishing campaigns
Privacy:
- Control your profile visibility settings – decide what is visible to non-connections and the general public
- Turn off “Profile viewing options” broadcasting to prevent others from seeing when you view their profiles
- Disable “Represent your organization” if you do not want LinkedIn suggesting you as a company representative
- Review data sharing settings and opt out of data used for advertising
TikTok
Security:
- Enable two-step verification
- Review devices logged in to your account
- Set a strong, unique password
Privacy:
- Set your account to private if you are not a content creator
- Disable “Suggest your account to others” options
- Review which data TikTok is allowed to collect (contacts, clipboard, etc.)
- Disable “Personalized ads”
- Be aware that TikTok’s data collection practices have been the subject of significant regulatory scrutiny
Recognizing and Responding to Account Compromise
Signs that your social media account may have been compromised:
- Posts or messages you did not create
- Login notifications from unfamiliar locations or devices
- Friends reporting messages or posts they know you did not make
- Changes to your profile information you did not make
- Unexpected password reset emails
- Being unable to log in with your normal credentials
If you suspect compromise:
- Change your password immediately – use a strong, unique password from your password manager
- Enable or re-enable two-factor authentication
- Review and end all active sessions except your current one
- Check for changes to your email address, phone number, or recovery options
- Review connected apps and revoke any you do not recognize
- Alert your friends and contacts that your account may have been compromised
- Check your other accounts – if the attacker found your password through a data breach, they may try it on other services
Social Engineering Through Social Media
Social media is the primary research tool for social engineering attacks. The information people share publicly – travel plans, workplace details, family relationships, daily routines – provides attackers with everything they need to craft convincing phishing messages.
Consider what an attacker could learn from your public profile:
- Your employer and job title (for spear-phishing targeting your organization)
- Your friends and family members (for impersonation)
- Your interests and activities (for crafting relevant lures)
- Your travel schedule (for physical security and targeted attacks)
- Your birthday and other personal details (for password reset attacks)
The defense is straightforward: limit what you share publicly and be intentional about what you post.
Privacy Versus Visibility
For many people, social media serves both personal and professional purposes. You may need a public LinkedIn presence for your career while wanting your personal Facebook locked down. The goal is not to disappear from social media but to make deliberate choices about what is public and what is private.
Some practical approaches:
- Separate personal and professional accounts – Use different platforms for different purposes, or maintain separate accounts where the platform allows it
- Use privacy settings granularly – Most platforms let you control visibility on a per-post or per-section basis
- Periodically audit your public presence – Search for your name in a private browsing window to see what is publicly visible
- Be thoughtful about photos – Photos contain metadata (location, time) and can reveal information about your home, habits, and companions
