It’s important to proactively secure your social media accounts, especially since you never know when an innocuous mistake could put you at risk. But it isn’t just a theoretical threat. Pranksters, vandals, and malicious attackers all look for ways to get into any legitimate account they can. So while you don’t need to hide in a hole, there are some worthwhile (and easy!) steps you can take to keep your accounts from being hijacked.
Make the Most of Your Device Lockscreen
Set all of your computing devices to lock quickly when you stop using them so you have protection from physical attacks. This mostly applies to reducing pranks and blocking rogue toddlers, but it doesn’t hurt for defending against more extreme targeting as well. And don’t forget to use a strong passcode or biometric to guard devices. If the unlock code for your phone is your birthday, you’re not making it that difficult for someone to break in.
Use a Strong, Unique Password and Two-Factor Authentication
Dealing with passwords and two-factor is the single most important thing you can do to lock accounts down—that’s why you’ve heard it a million times. One of the easiest ways someone can get into your account is by acquiring leaked credentials, and trying those email and password combinations across on other services. That threat goes away if you use different passwords across all of your accounts. (To make that a little easier, pick up a password manager.)
And requiring a second code, or “factor,” to log into accounts means that even if an attacker does get your password, they’d also need control of a second device—usually your smartphone—to break in.
To add two-factor authentication on Facebook, go to Settings > Security and Login > Two-Factor Authentication. Then enter your password to confirm that you want to make changes, and set two-factor to “On.” From there you can set things up to receive second factor codes via SMS or, preferably, using a code-generating app like Google Authenticator.
To add it on Twitter, go to Settings and Privacy > Account. In the Security subsection, click on Review your login verification methods. After entering your password you’ll land on a Login verification screen where you can make the same choices about how and where to receive codes.
While using strong, unique passwords and two-factor isn’t foolproof, for most people the combination drastically reduces the chance that their social media accounts will ever be compromised.
Facebook has a few options to help keep on top of who’s accessing your account, and where. Under Settings > Security and Login, you can see all the devices your account is logged in on, and where they are. See something you don’t recognize, or a device you’ve lost track of? The right-hand icon gives you the option of logging out remotely, or reporting it as an imposter.
From there, scroll down to Get alerts about unrecognized logins, and turn it on. That way, you’ll get a notification via Messenger, email, or Facebook that someone has logged into your account from an unrecognized browser. Twitter doesn’t offer a similar function—all the more reason to make sure you’ve got two-factor on for it.
Limit Third-Party Permissions
Though it would be difficult for an attacker to take over one of your social media accounts through a third-party service that has some access, it’s worth checking out what you’ve approved to ensure that there’s nothing phishy in the list, and remove old plugins that you no longer need. You could have granted them permission to gather more data than you think. That’s not a hack, exactly, but it’s still invasive.
On Facebook, go to Settings > Apps and Websites to view and manage the outside services that have some access to your Facebook account.
On Twitter, go to Settings and Privacy > Apps to see and edit the list.
Check Device Permissions
Also check the permissions services like Facebook and Twitter have on each of your devices. You might have blocked Facebook from accessing your location on your smartphone, but accidentally allowed it on your tablet because you weren’t paying attention. This data should be safe on accounts that are guarded by a strong password and two-factor authentication, but if you don’t want a service gathering it anyway you might as well turn it off.
On Android, go to Settings > Apps, then click the upper-right menu icon, and tap App permissions.
On iOS go to Settings > Privacy to manage which services have access to which parts of your phone. And also in Settings scroll down to double check the permissions listed for each service you use.
You might also consider limit the amount of of personal data you put in social media accounts, so that if someone does break in—or if an advertisers or app accesses it—you’ve minimized the amount they can grab.
“When people say ‘well, I put all this data out there on Facebook, what do I do to protect myself?’ I tell them don’t change your profile at all, just change inside of yourself all of your political views, all of your tastes, all of your likes, and then they’ll have all the wrong information about you,” jokes David Dufour, vice president of engineering and cybersecurity at the security firm Webroot.
Dufour also emphasizes that avoiding making accounts you don’t need and shutting down old ones you no longer use are basic steps to get your accounts under control.
And that should do it! There’s no such thing as perfect security, but at least you’ll have the peace of mind knowing you did everything you could—and made it as hard as possible for hackers to get at your accounts.