How to lock down your Twitter security and privacy

comment

If you believe Twitter’s former security chief, the company has major problems keeping your data safe. So what should you do about it?

In a whistleblower complaint reported by The Washington Post, Peiter “Mudge” Zatko alleged that the company misled the public and regulators about “extreme, egregious shortcomings” in its defenses against hackers. Twitter said allegations by an employee who was fired after 15 months on the job were “riddled with inaccuracies.”

The allegations highlight a sobering reality: if we make services like Twitter central to our lives, work, and even democracy, we owe this company a duty to protect us. According to Zatko, Twitter’s controls over who could and couldn’t access your information — even within Twitter — weren’t nearly as strong as they should be.

“Twitter users have very legitimate reasons to be upset” if Zatko’s allegations are true, said James Foster, CEO of cybersecurity firm ZeroFox. “It’s a breach of trust and a violation of best practice.”

What is the risk for you? You might think of Twitter primarily as a form of public communication—when you tweet, you go out to the world. But the service can also collect private or even dangerous information if it falls into the wrong hands.

The Online Security Reset Guide: Protecting you from scammers, hackers and digital threats

“It’s extremely important that people create threat models,” said Eva Galperin, director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation. “Think about what information Twitter has, who is likely to ask for it, and how they are likely to do it.”

The kind of person who should be on high alert right now could be the target of attacks by a government or someone who works at Twitter, she said. Those at higher risk are government employees, activists, journalists, and others whose jobs or personal safety depend on them remaining anonymous or maintaining tight control over their accounts.

But even for lower-risk Twitter users, the whistleblower’s disclosures are a good reminder that your direct messages, email address, or phone number could end up in the hands of criminals or governments.

“I don’t think it changes anything about what people should be doing, if only because we should have already been working with the assumption that all of our communications there could be seen by others,” said Troy Hunt, Founder by Have I Been Pwned, which collects data breach information.

Okay, Google: To protect women, collect less data on everyone

Twitter didn’t respond to a request for comment on the changes it made to strengthen security or any recommendations for users in light of the allegations.

Security experts say aside from leaving Twitter, there are a few steps you can take to reduce your risk. Some of these might make using Twitter more annoying — but maybe not as annoying as having your data stolen.

1) Don’t use Direct Messages for sensitive communications

Unlike messaging services like Apple’s iMessage, the DMs you send on Twitter aren’t end-to-end encrypted. This means that if someone breaks into Twitter’s systems, the content of your messages could be exposed. Remember: something you’re writing might not feel particularly sensitive right now, but it might feel embarrassing or distressing at a different time or to a different audience.

The content of your messages could also be exposed if your accounts or those of others you speak to are compromised and accessed by hackers. Even if you delete a DM conversation from your own account, it remains on the account of the other person you spoke to.

2) Lock your password

If you use your Twitter password on other websites or apps, change it now. One of the most coveted prizes in a breach is user logins and passwords. That’s because hackers know that many people reuse passwords across different websites and apps – so they can use the information to break into your email, bank, or work.

You should use a strong, unique password for each individual account and have a good password manager to help you stay organized. Using a password manager is easier than you might think.

While you’re at it, make sure you’ve also turned on two-factor authentication for your Twitter account — but do it with an app, not SMS text messages. (More on that below.)

If staying truly anonymous on Twitter is important, you might not want to use your real, primary email address for your Twitter account. Instead, use a throwaway or “burner” account that automatically forwards to your primary email address. (Read more advice on setting up disposable email here.)

Using a disposable email can also protect your account in other ways. If a hacker manages to access the email associated with your account, a unique email is harder to exploit. A hacker could not use it to try to break into your other accounts.

4) Use an authenticator app

It’s good security hygiene to use two-factor authentication for logins wherever available. But on Twitter, you can make it work through an app instead of phone SMS texting.

why is this good If a hacker finds out your phone number, they could try to intercept text messages meant for you and take control of your accounts.

What to do if you lose your phone and can’t access your accounts

This extra security step requires you to use an app like Google Authenticator. It’s not as hard as it sounds, either – instead of looking for a text message every time you log in, you bring up the app and enter the rotating unique code.

5) Check your other privacy and security settings

Make sure you’ve followed our Twitter privacy reset guide to reduce your exposure as much as possible. The less Twitter knows about you, the lower your risk.

For example, you probably don’t want to allow Twitter to collect information about your “precise location” that is used to show you local content and ads.

While you’re at it, use a program like TweetDelete.com to remove your old tweets. You never know when some of this might come back to haunt you.

Leave a Reply

Your email address will not be published. Required fields are marked *