This is part of training material released by The New York Times.If you wish to make changes to this doc, please make a copy using the dropdown menu under “File” above.
Social Media Security & Privacy Checklists
In this guide, we’ll cover the recommended settings for each platform that will keep your accounts secure. Follow these general recommendations to protect your accounts from compromise or unintentional data exposure.
Passwords
All passwords are not created equal. A weak password can be easily guessed or discovered based on context clues from your life. You should aim to have a strong password that helps to deter unauthorized entry to your account(s). A strong password should be:
- Long - We recommend at least 12 characters or longer.
- Unique - Do not reuse a password across multiple accounts.
- Easy for you to remember but hard to guess - We recommend choosing a long passphrase over random passwords. For example, using a sentence like “The blue horse likes to eat chocolate” is a memorable password that is hard for others to guess. To meet password requirements, you can add punctuation and numbers to create “The b1ue horse likes to eat ch0c0late”.
If you are managing many accounts, it may become hard to manage all your strong, unique passwords. We recommend setting up a password manager. A password manager will keep track of all your strong passwords and is easily accessible to you through a browser extension, mobile app, or desktop app.
Two-factor authentication
Two-factor authentication provides an additional layer of security that verifies your identity when logging into an account. Check to see if you can enable two-factor authentication on your accounts by visiting https://2fa.directory.
- Third-party authenticator app - An authenticator app lives on your mobile device and generates a one time code required after entering your password. To use a third party authentication app you’ll first need to download one (like Google Authenticator, LastPass Authenticator, etc.) from your mobile device’s app store.
- Security keys (hardware token) - This is the most secure 2FA option. It’s a small physical key that you have to directly insert into your device, or connect via NFC or bluetooth to log in. ( You can request a security key from Bytes and take a look at our guide on how to set up one up on your Google account)
Recovery Codes
Enabling two factor authentication comes with the risk of you losing your authorized device, potentially blocking you from accessing important apps. Many accounts offer recovery codes, which can be used in place of two-factor authentication in the case that your device is not available.
This list of codes is normally given to you at the end of successfully enabling two factor authentication with an app. We recommend storing these in a safe place until needed. The codes can be quickly saved within LastPass using a Secure Note for later use.
Direct Messages (DMs)
If you are reaching out to a source via social media, please note that DMs are not a secure method. For sensitive conversations, you should move over to another platform. If you need to use a third-party tool for newsgathering, follow the general recommendations in the InfoSec Secure Communications Guide to reduce the risk of your communications being exposed.
✅ Set a strong, unique password
- Where is that? Click Your Account Photo (or click on mobile) → Settings & Privacy → Settings → Accounts Center → Password and Security → Change Password
✅ Enable two-factor authentication
- Where is that? Click Your Account Photo (or click on mobile)→ Settings & Privacy → Settings → Accounts Center → Password and Security → Two-Factor Authentication
- What are my options? SMS, Authenticator App or a Security Key
✅ Turn on login alerts
- Where is that? Click Your Account Photo (or click on mobile)→ Settings & Privacy → Settings → Accounts Center → Password and Security → Login Alerts
✅ Review where you are logged in and revoke unfamiliar sessions
- Where is that? Click Your Account Photo (or click on mobile)→ Settings & Privacy → Activity Log → Security and Login Information → Where You’re Logged In
✅ Hide your friends list from Public view
- Where is that? Click Your Account Photo (or click on mobile) → Settings & Privacy → Settings → How People Find and Contact You
✅ Edit who can look up your profile using your email or phone number
- Where is that? Click Your Account Photo (or click on mobile) → Settings & Privacy → Settings → How People Find and Contact You
✅ Disallow search engines from linking to your profile
- Where is that? Click Your Account Photo (or click on mobile) → Settings & Privacy → Settings → Under the Audience and Visibility section go to How People Find and Contact You → Toggle off the option Do you want search engines outside of Facebook to link to your profile?
✅ Review who can see your future posts
- Where is that? Click Your Account Photo (or click on mobile) → Settings & Privacy → Settings → Posts
✅ Edit (all at once) who can see past posts you’ve shared
- Where is that? Click Your Account Photo (or click on mobile) → Settings & Privacy → Settings → Posts → Limit Past Posts
✅ Edit (individually) all your posts and items you’re tagged in
- Where is that? Click Your Account Photo (or click on mobile)→ Settings & Privacy → Activity Log → Your Facebook activity
✅ Review how others can interact and post to your profile
- Where is that? Click Your Account Photo (or click on mobile) → Settings & Privacy → Settings → Profile and Tagging → Viewing and Sharing
✅ Review who can tag your account in posts and pictures
- Where is that? Click Your Account Photo (or click on mobile) →Settings & Privacy → Settings → Profile and Tagging → Tagging
✅ Review who can see the people, Pages, and lists you follow
- Where is that? Click Your Account Photo (or click on mobile) →Settings & Privacy → Settings → Followers and Public Content
✅ Review the apps and websites that have access to your account
- Where is that? Click Your Account Photo (or click on mobile) →Settings & Privacy → Settings → Apps and Websites
✅ Review Off-Facebook Activity
- Where is that? Click Your Account Photo (or click on mobile)→Settings & Privacy → Settings → Accounts Center → Your Information and Permissions → Your Activity Off Meta Technologies
Any journalist or freelance contributor working in an editorial capacity for a news organization that is registered as a news Page on Facebook is encouraged to register as a journalist on Facebook using their personal Facebook account.
Registered journalists will receive stronger security features that further protect their Facebook and Instagram accounts, and may be eligible for other benefits, such as Blue Badge verification.
✅ Register for Journalist Facebook Resources
- Where is that? Click Your Account Photo (or click on mobile) →Settings & Privacy → Settings → Journalist Resources
✅ Set a strong, unique password
- Where is that? From your profile tap in the top right corner→ Accounts Center → Password and security → Change password
✅ Enable two-factor authentication
- Where is that? From your profile tap in the top right corner → Accounts Center → Password and security → Two-Factor Authentication
✅ Review where you are logged in and revoke unfamiliar sessions
- Where is that? From your profile tap in the top right corner → Accounts Center → Password and security → Where you’re logged in
✅ Remove any uploaded contacts and disable contact sync.
- Where is that? From your profile tap in the top right corner → Accounts Center → Your information and permissions → Upload contacts → Toggle off Connect contacts
- Turning off syncing is only available on the Instagram app for Android and iPhone. To prevent contacts from periodically being re-uploaded, turn off contact syncing in your settings on all devices logged into Instagram.
✅ Set account to private (If not being used in a professional manner)
- Where is that? From your profile tap in the top right corner → Account Privacy → Toggle on Private account
✅ Revoke unauthorized applications that are linked to your account
- Where is that? From your profile tap in the top right corner → Website Permissions → Apps and Websites
✅ Turn off similar account suggestions
- Where is that? From your profile tap in the top right corner → Edit Profile
Security Checkup
If Instagram detects a suspicious login on your account, a prompt will guide you through the steps needed to re-secure your profiles. This includes checking recent login activity, reviewing profile information, confirming the accounts that share login information, and updating the account’s recovery contact information such as phone number or emails in order to reset a hacker’s action
Threads
Threads, the latest social media platform from Meta, is a place to share text-based updates and join public conversations. Threads presents and functions very similarly to its competitor, X, in that you can like, repost, and quote posts shared by other accounts. Note that in order to create a Threads account it is a requirement to first create an Instagram account. Once your Threads account is created, it cannot be deleted unless you also delete your Instagram account.
Threads will utilize your Instagram login credentials and other pieces of information to create your account. You can choose to either import the accounts you follow from Instagram or manually follow accounts as you go.
Threads is built on a shared communication protocol that will allow accounts hosted on platforms and servers outside of Meta’s purview to view your posts if your account is public and you enable sharing. Additionally, if you post on these “outside platforms” via Threads and later choose to delete this post off of your Threads account, Meta can only request to have them deleted elsewhere.
Be aware that some account security and privacy settings will be applied to both Threads and Instagram accounts when configured. Once you select an option below the “Other account settings” disclaimer you will be routed to the “Meta Account Center”. Here you will be able to edit settings for Instagram (which affects Threads) as well as Facebook. |
✅ Set a strong, unique password
- Where is that? From your profile, tap in the top right corner → Account→ Security → Change Password
✅ Enable two-factor authentication
- Where is that? From your profile and tap in the top right corner → Account→ Security → Two-factor authentication
- What are my options? 😐 SMS and 😀 Authenticator app
✅ Review where you are logged in and revoke unfamiliar sessions
- Where is that? From your profile and tap in the top right corner → Account→ Security → Where you’re logged in
✅ Remove any uploaded contacts and disable contact sync
- Where is that? In Instagram: Tap in the top right corner→Settings and Privacy → Account Center→ Your information and permissions→Upload Contacts
✅ Set account to private (If not being used in a professional manner)
- Where is that? From your profile, tap in the top right corner → Privacy→ Private profile
The following settings are not available in the mobile app. Log into instagram.com from your computer or your phone's browser.
✅ Revoke unauthorized applications that are linked to your account
- Where is that? Where is that? Click → Settings → Website Permissions → Apps and Websites
✅ Turn off similar account suggestions
- Where is that? Click → Settings → Edit Profile → Similar Account Suggestions
X (formerly known as Twitter)
✅ Set a strong, unique password
- Where is that? Tap More on the left side → Settings and privacy → Your account → Change your password
✅ Enable two-factor authentication
- Where is that? Tap More on the left side → Settings and privacy → Security and account access → Security → Two-factor authentication
- What are my options? Authenticator App or Security Key
✅ Review where you are logged in and revoke unfamiliar sessions
- Where is that? Tap More on the left side → Settings and privacy → Security and account access → Apps and sessions → Sessions
✅ Revoke unauthorized applications that are linked to your account
- Where is that? Tap More on the left side → Settings and privacy → Security and account access → Apps and sessions → Connected apps
✅ Enable password reset protection
- Where is that? Tap More on the left side → Settings and privacy → Security and account access → Security → Password reset protect
✅ Edit who can look up your profile using your email or phone number
- Where is that? Tap More on the left side → Settings and privacy → Privacy and safety → Discoverability and contacts
✅ Disable location information on Tweets
- Where is that? Tap More on the left side → Settings and privacy → Privacy and safety → Location information
✅ Disable photo tagging
- Where is that? Tap More on the left side → Settings and privacy → Privacy and safety → Audience, media and tagging
✅ Set a strong, unique password
- Where is that? Click on your profile → Settings & Privacy → Sign in & Security → Change password
✅ Enable two-factor authentication
- Where is that? Click on your profile → Settings & Privacy → Sign in & Security → Two-step verification
- What are my options? 😐 SMS or 😀 Authenticator App
✅ Review where you are logged in and revoke unfamiliar sessions
- Where is that? Click on your profile → Settings & Privacy → Sign in & Security→ Where you’re signed in
✅ Revoke unauthorized applications that are linked to your account
- Where is that? Click on your profile → Settings & Privacy → Account Preferences → Partners and services
✅ Edit who can look up your profile using your email or phone number
- Where is that? Click on your profile → Settings & Privacy → Visibility → Visibility of your profile & network → Profile discovery using email address, Profile discovery using phone number
✅ Disable the visibility of your profile to non-Linkedin users
- Where is that? Click on your profile → Settings & Privacy → Visibility → Visibility of your profile & network → Edit your public profile
✅ Update the visibility of your email address to first degree connections
- Where is that? Click on your profile → Settings & Privacy → Visibility → Visibility of your profile & network → Who can see or download your email address
✅ Limit who can see your connections
- Where is that? Click on your profile → Settings & Privacy → Visibility → Who can see your connections
✅ Disable Linkedin’s data sharing settings for GenAI (more context here)
(Please note this feature is currently suspended for certain audiences based on location. If you are located in the UK, EU, European Economic Area or Switzerland this setting is not available to you).
- Where is that? Click on your profile → Settings & Privacy → Data Privacy → Data for Generative AI Improvement→toggle “off”
TikTok
Settings only available on mobile
✅ Set a strong, unique password
- Where is that? From your profile, tap Settings & Privacy→ Account → Password
✅ Enable two-step verification
- Where is that? From your profile, tap Settings & Privacy → Security and permissions → 2-Step Verification
- What are my options? SMS, email, and authenticator app
✅ Disallow others from downloading your videos
- Where is that? From your profile, tap Settings & Privacy→ Privacy → Safety → Downloads → turn off
✅ Disable contacts and unsync Facebook friends
- Where is that? From your profile, tap Settings & Privacy → Privacy → Sync Contacts and Facebook Friends → turn off
✅ View security alerts for any unusual account activity
- Where is that? From your profile, tap Settings & Privacy → Security and permissions → Security Alerts
✅ View all devices logged into your account and revoke any suspicious sessions
- Where is that? From your profile, tap Settings & Privacy → Security and permissions → Manage Devices → delete any unfamiliar devices
✅ If it’s a personal account, set account to private
- Where is that? From your profile, tap Settings & Privacy → Privacy → toggle on Private Account
✅ Turn off account suggestions for others
- Where is that? From your profile, tap Settings & Privacy → Privacy → Suggest Your Account to Others
✅ Enable additional privacy controls for who can comment on your videos, mention you and see that you’ve viewed another profile
- Where is that? From your profile, tap Settings & Privacy→ Privacy → Interactions
- → Comments
- → Mentions
- → Following
- → Duet
- → Stitch
- → Liked videos
- → Direct messages
- → Profile views
✅ Remove connected third-party apps
- Where is that? From your profile, tap Settings & Privacy → Security & permissions → Apps and services Permissions
Venmo
✅ Set a strong and unique password
- Where is that? Tap Me in bottom right corner → tap in top right corner (scroll down to Security) → Change Password
✅ Enable Touch ID & PIN
- Where is that? Tap Me in bottom right corner → tap in top right corner→ Face ID & Passcode
✅ Make future transactions private
- Where is that? Tap Me in bottom right corner → tap in top right corner→ Privacy → Default Privacy Settings → select Private
✅ Set all past transactions to private
- Where is that? Tap Me in bottom right corner → tap in top right corner→ Privacy → Default Privacy Settings → select Private
✅ Remove devices that you no longer want Venmo to remember
- Where is that? Tap Me in bottom right corner → tap in top right corner → Security → Remembered Devices → Other Devices → remove any unfamiliar or old devices
✅ Make your friends list private
- Where is that? Tap Me in bottom right corner → tap in top right corner→ Privacy (scroll down to More) → Friends List → select Private
✅ Turn on notifications for payments so you’re alerted to any fraudulent activity
- Where is that? Tap Me in bottom right corner → tap in top right corner→ Notifications → select push or text notifications → enable Payment Sent
✅ Set a strong, unique password
- Where is that? User Settings → Account settings → Change Password
✅ Enable two-factor authentication (only possible via desktop)
- Where is that? Click on your username→ Settings → Account authorization → Two-factor Authentication
- What are my options? 😐 SMS or 😀 Authenticator App
✅ Revoke unauthorized applications that are linked to your account
- Where is that? Click on your username→ Settings → Privacy → Third-party app authorization
✅ Disable search engine indexing
- Where is that? Click on your username→Privacy → Toggle off Show up in search results
✅ Disable content visibility
- Where is that? User Settings → Profile → Toggle off Content Visibility
Bluesky Social
Note: Bluesky is a decentralized social media platform. We will post more updates to this section as we continue to evaluate the platform.
✅ Set a strong, unique password
- Where is that? Tap Settings on the left side → Account → Password
✅ Enable two-factor authentication
- Where is that? Tap Settings on the left side → Privacy and Security → Two-factor authentication
✅ Moderate what content appears on your feed
- Where is that? Tap Settings on the left side → Moderation
✅ Generate unique app passwords when using Bluesky account to sign-in to other applications. This is a recommended alternative to sharing Bluesky account credentials with other platforms.
- Where is that? Tap Settings on the left side → Privacy and Security → App passwords
Invitation Codes in Bluesky
Bluesky is an “invitation-only” social media platform. Invitations take the form of registration codes that are shared to the recipient via email from current Bluesky users. If you do not have a code you will not be able to create an account. If you receive an invitation you weren’t expecting, or from a sender you are unfamiliar with, it is best to disregard the invitation.