The allegations highlight a sobering reality: When we make services such as Twitter central to our lives, jobs and even democracy, we’re beholden to that corporation to protect us. According to Zatko, Twitter’s controls over who could and could not access your information — even inside of Twitter — were not nearly as strong as they ought to be.
“Users of Twitter have very legitimate reasons to be upset” if Zatko’s allegations are true, said James Foster, the CEO of cybersecurity company ZeroFox. “It’s a breach of trust and a breach of best practice.”
What’s the risk to you? You might primarily think of Twitter as a form of public communication — when you tweet, it goes out for the world to see. But the service can also collect information that’s private or even dangerous if it gets in the wrong hands.
“It’s extremely important for people to do some threat modeling,” said Eva Galperin, director of cybersecurity at the digital rights nonprofit Electronic Frontier Foundation. “Think about what information Twitter has, who is likely to come asking for it and how they are likely to do so.”
The kind of person who should now be on high alert could be the target of attacks by a government or by someone who works at Twitter, she said. Higher-risk people include government workers, activists, journalists and others whose jobs or personal safety depend on them remaining anonymous or maintaining tight control over their accounts.
But even for Twitter users at less risk, the whistleblower’s disclosures are a good reminder: Your direct messages, email address or phone number could get in the hands of criminals or governments.
“I don’t feel it changes anything in terms of what people should be doing, if only because we should already have been working with the assumption that all our communications on there could be seen by others,” said Troy Hunt, founder of Have I Been Pwned, which aggregates information from data breaches.
Twitter didn’t respond to a request for comment about what changes it was making to shore up security, or recommendations for users in light of the allegations.
Security experts say, short of quitting Twitter, there are a few steps you can take that might reduce your risk. Some of these might make using Twitter more annoying — but perhaps not as annoying as having your data stolen.
1) Don’t use direct messages for any sensitive communication
Unlike messaging services such as Apple’s iMessage, the DMs you send on Twitter are not end-to-end encrypted. That means that if somebody gets into Twitter’s systems, the contents of your messages could be revealed. Remember: Something you DM might not feel particularly sensitive in the moment, but it might look embarrassing or incriminating at a different time or to a different audience.
The contents of your messages could also be revealed if you or any of the other people you’re talking with have their accounts compromised and accessed by hackers. Even if you delete a DM conversation from your own account, it remains in the account of the other person you were talking with.
2) Lock down your password
If you are using your Twitter password on any other websites or apps, change it now. One of the most sought-after prizes of any breach is the logins and passwords for users. That’s because hackers know that many people reuse passwords across different websites and apps — so they can use the information to get into your email, bank or work.
You should be using a strong, unique password for every single account, and have a good password manager to help you keep track of them all. It’s easier to use a password manager than you might think.
While you’re at it, make sure you also have two-factor authentication turned on for your Twitter account — but do so with an app rather than SMS text messages. (More on that below.)
If remaining truly anonymous on Twitter is important, you might not want to use your real, primary email address for your Twitter account. Instead, use a throwaway or “burner” account that automatically forwards to your primary email. (Read more advice on setting up throwaway emails here.)
Using a throwaway email can also protect your account in other ways. If a hacker does manage to access the email associated with your account, a unique email is harder to exploit. A hacker wouldn’t be able to use it to try to break into your other accounts.
4) Use an authenticator app
It’s good security hygiene to use two-factor authentication for logins wherever it’s available. But on Twitter, you can have it work via an app rather than phone SMS text messages.
Why is that good? If a hacker found out your phone number, they could try to intercept text messages meant for you and take control of your accounts.
For this extra security step, you’ll need to use an app such as Google Authenticator. This also isn’t as hard as it sounds — instead of checking for a text message every time you login, you’ll pull up the app and type in the rotating unique code.
5) Check your other privacy and security settings
Make sure you’ve followed our privacy reset guide on Twitter to reduce your exposure as much as possible. The less Twitter knows about you, the less risk you face.
For example, you probably don’t want to let Twitter collect information about your “precise location,” which it uses to show you local content and ads.
While you’re at it, use a program such as TweetDelete.com to remove your old tweets. You never know when some of it might come back to haunt you.
