Add to collection(s) Add to saved
  1. No category
Uploaded by Azim Al Jabber

Social Media Security & Privacy Checklists (Open Source)

advertisement 
This is part of training material released by The New York Times. For more information, please
read this article on NYT Open and see this resource guide. If you wish to make changes to this
doc, please make a copy using the dropdown menu under “File” above.
Social Media Security &
Privacy Checklists
In this guide, we’ll cover the recommended settings for each platform that will keep your
accounts secure. Follow these general recommendations to protect your accounts from
compromise or unintentional data exposure.
� Passwords
� Two-factor authentication
Direct Messages (DMs)
Facebook
Instagram
Security Checkup
Threads
Twitter
LinkedIn
TikTok
Venmo
Reddit
Clubhouse
Mastodon
Additional Resources
� Passwords
All passwords are not created equal. A weak password can be easily guessed or discovered
based on context clues from your life. You should aim to have a strong password that helps
to deter unauthorized entry to your account(s). A strong password should be:
●
Long - We recommend at least 12 characters or longer.
●
●
Unique - Do not reuse a password across multiple accounts.
Easy for you to remember but hard to guess - We recommend choosing a long
passphrase over random passwords. For example, using a sentence like “The blue
horse likes to eat chocolate” is a memorable password that is hard for others to
guess. To meet password requirements, you can add punctuation and numbers to
create “The b1ue horse likes to eat ch0c0late”.
If you are managing many accounts, it may become hard to manage all your strong, unique
passwords. We recommend setting up a password manager. A password manager will
keep track of all your strong passwords and is easily accessible to you through a browser
extension, mobile app, or desktop app.
� Two-factor authentication
Two-factor authentication provides an additional layer of security that verifies your identity
when logging into an account. Check to see if you can enable two-factor authentication on
your accounts by visiting https://2fa.directory. There are three common forms of two-factor
authentication options available for accounts:
●
●
●
� SMS (text message) - This is the least secure two-factor option, largely due to the
fact that the messages are unencrypted, and susceptible to SIM hijacking attacks.
However, keep in mind that SMS is still a better option than no 2FA at all.
� Third-party authenticator app - An authenticator app lives on your mobile device
and generates a one time code required after entering your password. To use a third
party authentication app you’ll first need to download one (like Google
Authenticator, LastPass Authenticator, etc.) from your mobile device’s app store.
� Security keys (hardware token) - This is the most secure 2FA option. It’s a small
physical key that you have to directly insert into your device, or connect via NFC or
bluetooth to log in.
Recovery Codes
Enabling two factor authentication comes with the risk of you losing your authorized device,
potentially blocking you from accessing important apps. Many accounts offer recovery
codes, which can be used in place of two-factor authentication in the case that your device
is not available.
This list of codes is normally given to you at the end of successfully enabling two factor
authentication with an app. We recommend storing these in a safe place until needed. The
codes can be quickly saved within a password manager using a Secure Note for later use.
Direct Messages (DMs)
If you are reaching out to a source via social media, please note that DMs are not a secure
method. For sensitive conversations, you should move over to another platform. If you
need to use a third-party tool for newsgathering, follow the general recommendations in
the Secure Communications Guide to reduce the risk of your communications being
accidentally exposed.
Facebook
✅ Set a strong, unique password
●
Where is that? Settings & Privacy → Settings → Security & Login → Login
✅ Enable two-factor authentication
●
Where is that? Settings & Privacy → Settings → Security and Login → Two-
Factor Authentication
●
What are my options? � SMS, � Authenticator App or � Security Key
✅ Turn on login alerts
●
Where is that? Settings & Privacy→ Settings → Security and Login →
Setting Up Extra Security
✅ Review where you are logged in and revoke unfamiliar sessions
●
Where is that? Settings & Privacy → Settings → Security and Login →
Where You're Logged In
✅ Hide your friends list from Public view.
●
Where is that? Settings & Privacy → Settings → Privacy → How People Find
and Contact You
✅ Edit who can look up your profile using your email or phone number
●
Where is that? Settings & Privacy → Settings → Privacy → How People Find
and Contact You
✅ Disallow search engines from linking to your profile
●
Where is that? Settings & Privacy → Settings → Privacy → How People Find
and Contact You
✅ Review who can see your future posts
●
Where is that? Settings & Privacy → Settings → Privacy → Your Activity
✅ Edit (all at once) who can see past posts you’ve shared
●
Where is that? Settings & Privacy → Settings → Privacy → Your Activity →
Limit Past Posts
✅ Edit (individually) all your posts and items you’re tagged in
●
Where is that? Settings & Privacy → Settings → Activity Log
✅ Review how others can interact and post to your profile
●
Where is that? Settings & Privacy → Settings → Profile and Tagging
→Profile
✅ Review who can tag your account in posts and pictures
●
Where is that? Settings & Privacy → Settings → Profile and Tagging →
Tagging
✅ Review who can see the people, Pages, and lists you follow
●
Where is that? Settings & Privacy → Settings → Privacy → Your Activity
✅ Review the apps and websites that have access to your account
●
Where is that? Settings & Privacy →
Settings → Apps and Websites
✅ Review Off-Facebook Activity
●
Where is that? Settings & Privacy → Settings → Your Facebook Information
→ Off-Facebook Activity
Any journalist or freelance contributor working in an editorial capacity for a news
organization that is registered as a news Page on Facebook is encouraged to register as
a journalist on Facebook using their personal Facebook account.
Registered journalists will receive stronger security features that further protect their
Facebook and Instagram accounts, and may be eligible for other benefits, such as Blue
Badge verification.
✅ Register for Journalist Facebook Resources
●
Where is that? Settings & Privacy → Settings → Journalist Resources
Instagram
✅ Set a strong, unique password
●
→ Settings → Security → Password
Where is that? From your profile and tap
✅ Enable two-factor authentication
●
Where is that? From your profile and tap
Settings → Security → Two-Factor
Authentication
●
What are my options? � SMS and � Authenticator app
✅ Review where you are logged in and revoke unfamiliar sessions
●
Where is that? From your profile and tap
Settings → Security → Login
Activity. Log out by tapping on the 3 dots.
✅ Remove any uploaded contacts and disable contact sync
●
Where is that? From your profile and tap
Settings → Account → Contacts
Syncing
✅ Set account to private (If not being used in a professional manner)
●
Where is that? From your profile and tap
Settings → Privacy → Account
Privacy
The following settings are not available in the mobile app. Log into instagram.com from
your computer or your phone's browser.
✅ Revoke unauthorized applications that are linked to your account
●
Where is that? Click on your profile icon in the top right corner →
Edit Profile → Apps and Websites.
✅ Turn off similar account suggestions
●
Where is that? Click
in the top right corner → Edit Profile → Similar
Account Suggestions
Security Checkup
If Instagram detects a suspicious login on your account, a prompt will guide you through the
steps needed to re-secure your profiles. This includes checking recent login activity,
reviewing profile information, confirming the accounts that share login information, and
updating the account’s recovery contact information such as phone number or emails in
order to reset a hacker’s actions.
Threads
Threads, the latest social media platform from Meta, is a place to share text-based updates
and join public conversations. Threads presents and functions very similarly to its
competitor, Twitter, in that you can like, repost, and quote posts shared by other accounts.
Note that in order to create a Threads account it is a requirement to first create an
Instagram account. Once your Threads account is created, it cannot be deleted unless
you also delete your Instagram.
Threads will utilize your Instagram login credentials and other pieces of information to
create your account. You can choose to either import the accounts you follow from
Instagram or manually follow accounts as you go.
Threads is another entry into the federated social media landscape colloquially referred to
as the “Fediverse.” This means that it is built on an interoperable protocol that will allow
accounts hosted on platforms and servers outside of Meta’s purview to view your posts if
public. Additionally, if you post on these “outside platforms” via Threads and later choose to
delete this post off of your Threads account, Meta can only request to have them deleted
elsewhere.
Be aware that some account security and privacy settings will be applied to both Threads
and Instagram accounts when configured. Once you select an option below the “Other
account settings” disclaimer you will be routed to the “Meta Account Center”. Here you
will be able to edit settings for Instagram (which affects Threads) as well as Facebook.
✅ Set a strong, unique password
●
Where is that? From your profile and tap
in the top right corner → Account→
Security → Change Password
✅ Enable two-factor authentication
●
Where is that? From your profile and tap
in the top right corner → Account→
Security → Two-factor authentication
●
What are my options? � SMS and � Authenticator app
✅ Review where you are logged in and revoke unfamiliar sessions
●
Where is that? From your profile and tap
in the top right corner → Account→
Security → Where you’re logged in
✅ Remove any uploaded contacts and disable contact sync
●
Where is that? In Instagram: Tap
in the top right corner→Settings and Privacy
→ Account Center→ Your information and permissions→Upload Contacts
✅ Set account to private (If not being used in a professional manner)
●
Where is that? From your profile and tap
in the top right corner → Privacy→
Private profile
The following settings are not available in the mobile app. Log into instagram.com from
your computer or your phone's browser.
✅ Revoke unauthorized applications that are linked to your account
●
Where is that? Click on your profile icon in the top right corner →
Edit Profile → Apps and Websites.
✅ Turn off similar account suggestions
●
Where is that? Click
in the top right corner → Edit Profile → Similar
Account Suggestions
Twitter
✅ Set a strong, unique password
●
Where is that? Tap More on the left side → Settings and privacy → Account →
Password
✅ Enable two-factor authentication
●
Where is that? Tap More on the left side → Settings and privacy → Account →
Security → Two-factor authentication
●
What are my options? � SMS, � Authenticator App, or � Security Key
✅ Review where you are logged in and revoke unfamiliar sessions
●
Where is that? Tap More on the left side → Settings and privacy → Account →
Apps and sessions
✅ Revoke unauthorized applications that are linked to your account
●
Where is that? Tap More on the left side → Settings and privacy → Account →
Apps and sessions
✅ Enable password reset protection
●
Where is that? Tap More on the left side → Settings and privacy → Account →
Security → Password reset protect
✅ Edit who can look up your profile using your email or phone number
●
Where is that? Tap More on the left side → Settings and privacy → Privacy
and safety → Discoverability and contacts
✅ Disable location information on Tweets
●
Where is that? Tap More on the left side → Settings and privacy → Privacy and
safety → Location
✅ Disable photo tagging
●
Where is that? Tap More on the left side → Settings and privacy → Privacy
and safety → Photo tagging
LinkedIn
✅ Set a strong, unique password
●
Where is that? Click on
→ Settings & Privacy → Sign in & Security →
Account Access → Change password
✅ Enable two-factor authentication
●
Where is that? Click on
→ Settings & Privacy →
Account Access → Two-step verification
●
What are my options? � SMS or � Authenticator App
Sign in & Security →
✅ Review where you are logged in and revoke unfamiliar sessions
� Where is that? Click on
→ Settings & Privacy →
Account → Where
you’re signed in
✅ Revoke unauthorized applications that are linked to your account
●
Where is that? Click on
→ Settings & Privacy → Account Preferences →
Partners and services
✅ Edit who can look up your profile using your email or phone number
●
Where is that? Click on
→ Settings & Privacy → Visibility → Visibility
of your profile & network → Profile discovery using email address,
Profile discovery using phone number
✅ Disable the visibility of your profile to non-Linkedin users
●
Where is that? Click on
→ Settings & Privacy → Visibility → Visibility
of your profile & network → Edit your public profile
✅ Update the visibility of your email address to first degree connections
●
Where is that? Click on
→ Settings & Privacy → Visibility → Visibility
of your profile & network → Who can see or download your email
address
✅ Limit who can see your connections
●
Where is that? Click on
→ Settings & Privacy → Visibility → Who can
see your connections
TikTok
✅ Set a strong, unique password
●
Where is that? From your profile, tap
Password
Settings & Privacy→ Manage Account →
✅ Enable two-step verification
●
Where is that? From your profile, tap
Settings & Privacy → Security and
Login → 2-Step Verification
●
What are my options? SMS and email (TikTok requires you to set up both)
✅ Disallow others from downloading your videos
●
Where is that? From your profile, tap
Settings & Privacy→ Privacy → Safety
→ Downloads → turn off
✅ Disable contacts and unsync Facebook friends
●
Where is that? From your profile, tap
Settings & Privacy → Privacy → Sync
Contacts and Facebook Friends → turn off
✅ View security alerts for any unusual account activity
●
Where is that? From your profile, tap
Settings & Privacy → Security and
Login → Security Alerts
✅ View all devices logged into your account and revoke any suspicious sessions
●
Where is that? From your profile, tap
Settings & Privacy → Security and
Login → Manage Devices → delete any unfamiliar devices
✅ If it’s a personal account, set account to private
●
Where is that? From your profile, tap
Settings & Privacy → Privacy →
Private Account
✅ Turn off account suggestions for others
●
Where is that? From your profile, tap
Settings & Privacy → Privacy →
Suggest Your Account to Others
✅ Enable additional privacy controls for who can comment on your videos, mention you
and see that you’ve viewed another profile
●
Where is that? From your profile, tap
Settings & Privacy→ Privacy → Safety
○
→ Comments
○
→ Mentions
○
→ Following
○
→ Duet
○
→ Stitch
○
→ Liked videos
○
→ Direct messages
○
→ Profile views
✅ Remove connected third-party apps
●
Where is that? From your profile, tap
Settings & Privacy → Security &
Login → Manage App Permissions
Venmo
✅ Set a strong, unique password
●
Where is that? Tap Me in bottom right corner → tap
in top right corner (scroll
down to Security) → Change Password
✅ Enable Touch ID & PIN
●
Where is that? Tap Me in bottom right corner → tap
in top right corner→ Touch
ID & PIN
✅ Make future transactions private
●
Where is that? Tap Me in bottom right corner → tap
in top right corner→ Privacy
→ Default Privacy Settings → select Private
✅ Set all past transactions to private
●
Where is that? Tap Me in bottom right corner → tap
in top right corner→ Privacy
(scroll down to More)→ Past Transactions → select Change All to Private
✅ Remove devices that you no longer want Venmo to remember
●
Where is that? Tap Me in bottom right corner → tap
in top right corner →
Security → Remembered Devices → Other Devices → remove any unfamiliar or
old devices
✅ Make your friends list private
●
Where is that? Tap Me in bottom right corner → tap
in top right corner→ Privacy
(scroll down to More) → Friends List → select Private
✅ Turn on notifications for payments so you’re alerted to any fraudulent activity
●
Where is that? Tap Me in bottom right corner → tap
in top right corner→
Notifications → select push or text notifications → enable Payment
Sent
✅ Turn on notifications for logins from other devices
●
Where is that? Tap Me in bottom right corner → tap
in top right corner→
Notifications → select email notifications → enable Login Attempted
Reddit
✅ Set a strong, unique password
●
Where is that? User Settings → Account → Change Password
✅ Enable two-factor authentication
●
Where is that? User Settings → Safety & Privacy → Two-factor
Authentication
●
What are my options? � SMS or � Authenticator App
✅ Revoke unauthorized applications that are linked to your account
●
Where is that? User Settings → Safety & Privacy → Manage third-party app
authorization
✅ Disable logging of outbound clicks
●
Where is that? User Settings → Safety & Privacy → Toggle off Personalize all
of Reddit based on the outbound links you click on
✅ Disable search engine indexing
●
Where is that? User Settings → Safety & Privacy → Toggle off Show up in
search results
✅ Disable content visibility
●
Where is that? User Settings → Profile → Toggle off Content Visibility
✅ Remove which communities you are active in from your profile
●
Where is that? User Settings → Profile → Toggle off Active in communities
visibility
Clubhouse
✅ Use a virtual number during account creation
●
Where is that? Create a Google Voice number to do this.
✅ Don’t share contacts during account creation
●
Where is that? During account set up, select Skip when Clubhoues asks to access
your contacts
✅ Unlink your associated social media accounts
●
Where is that? Settings → Select your name → Select Unlink Twitter or Unlink
Instagram
✅ Deactivate account
●
Where is that? Settings → Select your name → Deactive Account
Keep in mind that Clubhouse is not end-to-end encrypted. You should assume that all
conversations (even private chats) could be made public, and not use Clubhouse for
sensitive communications.
Mastodon
✅ Set a strong, unique password
●
Where is that? Settings → Edit Profile → Account → Change Password
✅ Enable two-factor authentication
●
Where is that? Settings → Edit Profile → Account → Two-factor Auth
✅ Confirm you’re following legitimate accounts
●
Where is that? Navigate to the user’s profile → look for a green checkmark that
verifies external links in the user’s profile (web, podcast, Twitter, etc.)
✅ Verify your account
●
Where is that? Settings → Edit Profile → Appearance → include links to
your site/podcast/Twitter → once Mastodon verifies these, you’ll see
a green checkmark next to the link in your profile
✅ Determine the publishing level of your posts
● Mastodon has a few different feed privacy settings (referred to as “Circle”): public,
unlisted (meaning publicly available but won’t appear in the Mastodon timeline),
followers-only, and direct (meaning visible to only the people mentioned)
●
Where is that? Settings → Edit Profile → Preferences → Post Privacy
✅ Keep your Mastodon account private
●
Where is that? Settings → Edit Profile → Lock account
✅ Prevent search engines from linking to your account
●
Where is that? Settings → Preferences→ Opt-out of search engine indexing
DMs in Mastodon
Direct messages (DMs) are not encrypted, meaning they’re stored in plaintext on the
Mastodon server. This means these messages could be read by the server administrators
and stored on multiple Mastodon servers. You should not use Mastodon to send sensitive
information.
If you mention another Mastodon user in a DM with someone else, the person you “@” will
also see a copy of that message. Essentially, if you mention another user via DM, you’re
automatically including them in the conversation.
Additional Resources
Facebook Help Center
Instagram Help Center
Twitter Help Center
LinkedIn Help
Reddit Help
Related documents
Discussion 1 Computer Organization 1. 2.
Discussion 1 Computer Organization 1. 2.
Download
advertisement