Skip to main content

Security on Twitter

Yesterday I sent a memo to all staff advising them on the situation at Twitter and how it pertains to their own security. I thought it might be useful to share a version of this information with you, too.

Twitter’s Chief Information Security Officer, Chief Privacy Officer, and Chief Compliance Officer all quit on Wednesday night. One can reasonably infer that the team at Twitter is being asked to do things that these people were not comfortable with, and given their roles, it’s reasonable to consider Twitter to be insecure going forward.

At the same time, it’s still where a lot of people find community and reach. You might not want to leave it right now. Here, then, are some suggestions about how to stay safe while remaining on the platform.

Enable non-phone two-factor authentication. Twitter allows you to log in with two-factor auth. Using your phone number leaves you open to having that number leaked - or used for other purposes by the company - in the future. I always recommend using an authentication app. Authy is a good stand-alone app, but this functionality is also built into password managers like 1Password.

Remove your credit card number. If you’ve bought ads, remove your payment details from the system. We know that credit card numbers are stored insecurely on the platform.

Remove sensitive DMs. DMs on Twitter are not encrypted. They could be leaked or mined by the company for other purposes.

Use a password manager to generate your password. Don't try and use a password you've invented yourself. And don't share this password with any other system: it’s just for Twitter.

Use a canary email address, if you can. All Google-powered email addresses can have arbitrary labels added to them using a +. For example, the address will still get to me - but if I use that label on my email address in my Twitter account, I'll know my account has been compromised when other entities start using it.

Post via the web or using a third-party app. We know that Twitter tracks very detailed location information from its app users. Web browsers keep you safe, so posting via the web does not carry the same risk.

· Posts


Twitter: @benwerd

Leave anonymous feedback