Twitter Security
tag: [Community & Marketing]
Having your twitter account compromised can cause a lot of damage not only to you but to the entire ecosystem. Securing your Twitter account is not particularly hard or time consuming, so consider following the best practices below:
Remove your phone number
There are no good reasons to keep a phone number attached to your account, and it’s the easiest way for a hacker to get into your account after SIM swapping you. Getting verified requires you to add a phone number, but you can remove it afterward.
- Go to https://twitter.com/settings/phone
- If a phone number exists, remove it with “Delete phone number”
- After removing your phone number, it's crucial to navigate to Settings > Security and Account Access > Security > Two-Factor Authentication > Backup Codes. Store these codes offline, just like your seed phrase. Anyone with these codes can bypass your 2FA, so it's extremely important to write them down and keep them secure. Remember, when you change your password, new backup codes are generated.
Configure 2FA
Two-factor authentication is extremely useful to protect against hackers, but not if you’re using SMS 2FA and the hackers have access to your phone number. You should almost always prefer using an authenticator app or security key. Make sure you’ve stored your backup codes somewhere secure, preferably printed on a paper rather than being stored on your device.
- Go to https://twitter.com/settings/account/login_verification
- Make sure “Text message” is disabled
- Make sure either “Authentication app” or “Security key” is enabled
- If you choose an authentication app, you can store your TOTP secret in Authy or Google Authenticator (but make sure to disable sync)
- If you choose security keys, you’ll probably want two at minimum in case one of them stop functioning. Yubico provide multiple hardware keys which have stood the test of time.
- Select “Backup codes”, then generate a new backup code to store in a safe place, preferably printed rather than on your computer as compromising one device should not mean the threat actor has access to everything.
Revoke access from delegated accounts
Twitter allows you to delegate access to your account to other accounts. If your account was previously compromised, this is a sneaky way for attackers to maintain access to your account even after you recover control.
- Go to https://twitter.com/settings/delegate/members
- For every account, if you don’t recognize it, click “Remove from group”
Enable password reset protect
Twitter offers an option to require users to enter the email or phone number (or both) associated with an account before being able to request a password reset. This means hackers need to know your email instead of being given a hint.
Password reset protect is disabled
Password reset protect is enabled
- Go to https://twitter.com/settings/security
- Make sure “Password reset protect” is enabled
Additional Security Settings
- Go to Settings & Privacy > Privacy and Safety > Discoverability and Contacts > Recommend to turn both email and phone discoverability off
- Go to Settings & Privacy > Security and Account Access > Security > Setup your Security Key. Also enable/check box ‘password reset protection’
- Go to Settings & Privacy > Security and Account Access > Apps and Sessions
Connected Apps, log out of apps Sessions, log out of old sessions
Revoke access from unnecessary apps
You might’ve connected Twitter with various apps, and some of these apps may have too many permissions assigned to them. To verify what permissions these apps have, follow these steps:
- Go to https://twitter.com/settings/connected_apps
- For each app, check the permissions that it has. If it can act on your behalf, consider removing it with “Revoke app permissions”
De-authorize inactive or unrecognized sessions
You may have logged into Twitter from places outside your normal devices - perhaps you at some point used a friend’s phone to send a quick tweet. Check which sessions you have active, and consider logging out of the ones you don't need.
- Go to https://twitter.com/settings/sessions
- For every session under “Log out of other sessions”, see if you recognize the device and if it’s been active recently. If not, click the device and click “Log out of the device shown”
Ensure you’re using an up-to-date email
Did you change emails since you made your Twitter account? That old email could be an easy target for threat actors. Make sure you’re using your current email so you see any potential security alerts.
- Go to https://twitter.com/settings/email
- If the email being used is not an up-to-date email, update it
Update your password
If you are not using a unique password for Twitter, then it's time to create one.
- Go to https://twitter.com/settings/password
- Change your password
X Emails
- Be cautious if you receieve an email about any password, delegate, content moderation; email. Always go to the source, do not click links in phishing emails and enter X account login info.
- Always check the "from" of the email and verify if its from "@x.com"