The allegations highlight a stark reality: When we make services like Twitter central to our lives, work and even our democracy, we owe it to that corporation to protect us. According to Zatko, Twitter’s controls over who could and couldn’t access your information — even within Twitter — weren’t as strong as they should have been.
“Twitter users have very legitimate reasons to be upset” if Zatko’s claims are true, said James Foster, CEO of cybersecurity company ZeroFox. “It’s a breach of trust and a breach of best practice.”
What is the risk to you? You can think of Twitter primarily as a form of public communication – when you tweet, it goes out for the world to see. But the service can also collect information that is private or even dangerous if it falls into the wrong hands.
“It’s extremely important that people do threat modeling,” said Eva Galperin, director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation. “Think about what information Twitter has, who is likely to come looking for it, and how they are likely to do so.”
The kind of person who should now be on high alert could be the target of attacks by a government or someone who works at Twitter, she said. People at higher risk include government workers, activists, journalists and others whose work or personal safety depends on remaining anonymous or maintaining tight control over their accounts.
But even for less risk-averse Twitter users, the whistleblower revelations are a good reminder: Your direct messages, email address or phone number could fall into the hands of criminals or governments.
“I don’t think it changes anything about what people have to do, just because we should have already been working under the assumption that all of our communications out there could be seen by others,” said Troy Hunt, founder of Have. I Been Pwned, which collects information from data breaches.
Twitter did not respond to a request for comment about changes it was making to strengthen security, or recommendations for users in light of the allegations.
Security experts say that, in addition to leaving Twitter, there are steps you can take that can reduce your risk. Some of these can make using Twitter more annoying — but maybe not as annoying as having your data stolen.
1) Do not use direct messages for any sensitive communication
Unlike messaging services such as Apple’s iMessage, the DMs you send on Twitter are not end-to-end encrypted. This means that if someone breaks into Twitter’s systems, the content of your messages can be revealed. Remember: Something you DM may not feel particularly sensitive at the moment, but it may seem embarrassing or incriminating at a different time or to a different audience.
The content of your messages can also be revealed if you or any of the other people you are talking to have their accounts compromised and accessed by hackers. Even if you delete a DM conversation from your account, it remains on the account of the other person you were talking to.
2) Lock your password
If you’re using your Twitter password on another website or app, change it now. One of the most sought-after prizes of any breach is user logins and passwords. That’s because hackers know that many people reuse passwords across different websites and apps — so they can use the information to get into your email, bank or work.
You should use a strong, unique password for every single account and have a good password manager to help you keep track of them all. It’s easier to use a password manager than you might think.
While you’re at it, make sure you’ve also enabled two-factor authentication for your Twitter account — but do so with an app, not SMS text messages. (More on this below.)
If remaining anonymous on Twitter is really important, you may not want to use your real, primary email address for your Twitter account. Instead, use a throwaway or “burner” account that automatically sends to your primary email. (Read more tips for setting up bounced emails here.)
Using a throwaway email can protect your account in other ways as well. If a hacker manages to access the email associated with your account, a unique email is more difficult to exploit. A hacker won’t be able to use it to try to break into your other accounts.
4) Use an authentication app
It is good security hygiene to use two-factor authentication for logins wherever available. But on Twitter, you can make it work through an app instead of SMS text messages on your phone.
Why is it good? If a hacker discovers your phone number, they can try to intercept your text messages and take control of your accounts.
For this extra step of security, you’ll need to use an app like Google Authenticator. It’s also not as difficult as it sounds – instead of checking for a text message every time you log in, you’ll pull up the app and type in the unique rotary code.
5) Check other privacy and security settings
Make sure you’ve followed our Twitter privacy reset guide to reduce your exposure as much as possible. The less Twitter knows about you, the less risk you face.
For example, you may not want to allow Twitter to collect information about your “exact location,” which it uses to show you local content and ads.
While you’re at it, use a program like TweetDelete.com to remove your old tweets. You never know when some of them might come back to haunt you.
