This is part of training material released by The New York Times.

For more information, please

read this article on NYT Open and see this resource guide. If you wish to make changes to this
doc, please make a copy using the dropdown menu under “File” above.

Social Media Security & Privacy

Checklists
In this guide, we’ll cover the recommended settings for each platform that will keep your
accounts secure. Follow these general recommendations to protect your accounts from
compromise or unintentional data exposure.

🔑 Passwords
🔒 Two-factor authentication
Direct Messages (DMs)
Facebook
Instagram
Security Checkup
Threads
Twitter
LinkedIn
TikTok
Venmo
Reddit
Clubhouse
Mastodon
Bluesky Social
Additional Resources

🔑 Passwords
All passwords are not created equal. A weak password can be easily guessed or discovered
based on context clues from your life. You should aim to have a strong password that helps
to deter unauthorized entry to your account(s). A strong password should be:

● Long - We recommend at least 12 characters or longer.

 ● Unique - Do not reuse a password across multiple accounts.
● Easy for you to remember but hard to guess - We recommend choosing a long
passphrase over random passwords. For example, using a sentence like “The blue
horse likes to eat chocolate” is a memorable password that is hard for others to
guess. To meet password requirements, you can add punctuation and numbers to
create “The b1ue horse likes to eat ch0c0late”.

If you are managing many accounts, it may become hard to manage all your strong, unique
passwords. We recommend setting up a password manager. A password manager will keep
track of all your strong passwords and is easily accessible to you through a browser
extension, mobile app, or desktop app.

🔒 Two-factor authentication
Two-factor authentication provides an additional layer of security that verifies your identity
when logging into an account. Check to see if you can enable two-factor authentication on
your accounts by visiting https://2fa.directory. There are three common forms of two-factor
authentication options available for accounts:

● 😐 SMS (text message) - This is the least secure two-factor option, largely due to the
fact that the messages are unencrypted, and susceptible to SIM hijacking attacks.

😀
However, keep in mind that SMS is still a better option than no 2FA at all.
● Third-party authenticator app - An authenticator app lives on your mobile device
and generates a one time code required after entering your password. To use a third
party authentication app you’ll first need to download one (like Google Authenticator,

😁
LastPass Authenticator, etc.) from your mobile device’s app store.
● Security keys (hardware token) - This is the most secure 2FA option. It’s a small
physical key that you have to directly insert into your device, or connect via NFC or
bluetooth to log in.

Recovery Codes

Enabling two factor authentication comes with the risk of you losing your authorized device,
potentially blocking you from accessing important apps. Many accounts offer recovery
codes, which can be used in place of two-factor authentication in the case that your device
is not available.

This list of codes is normally given to you at the end of successfully enabling two factor
authentication with an app. We recommend storing these in a safe place until needed. The
codes can be quickly saved within a password manager using a Secure Note for later use.
Direct Messages (DMs)
If you are reaching out to a source via social media, please note that DMs are not a secure
method. For sensitive conversations, you should move over to another platform. If you need
to use a third-party tool for newsgathering, follow the general recommendations in the
Secure Communications Guide to reduce the risk of your communications being
accidentally exposed.

Facebook
✅ Set a strong, unique password
● Where is that? Click Your Account Photo → Settings & Privacy → Settings →
Accounts Center → Password and Security → Change Password

✅ Enable two-factor authentication

● Where is that? Click Your Account Photo→ Settings & Privacy → Settings →

😐 😀 😁
Accounts Center → Password and Security → Two-Factor Authentication
● What are my options? SMS, Authenticator App or Security Key

✅ Turn on login alerts

● Where is that? Click Your Account Photo→ Settings & Privacy → Settings →
Accounts Center → Password and Security → Login Alerts

✅ Review where you are logged in and revoke unfamiliar sessions

● Where is that? Click Your Account Photo→ Settings & Privacy → Activity Log →
Security and Login Information → Where You’re Logged In

✅ Hide your friends list from Public view.

● Where is that? Click Your Account Photo → Settings & Privacy → Settings → How
People Find and Contact You

✅ Edit who can look up your profile using your email or phone number
● Where is that? Click Your Account Photo → Settings & Privacy → Settings → How
People Find and Contact You

✅ Disallow search engines from linking to your profile

● Where is that? Click Your Account Photo → Settings & Privacy → Settings → How
People Find and Contact You

✅ Review who can see your future posts

 ● Where is that? Click Your Account Photo → Settings & Privacy → Settings → Posts

✅ Edit (all at once) who can see past posts you’ve shared
● Where is that? Click Your Account Photo → Settings & Privacy → Settings → Posts
→ Limit Past Posts

✅ Edit (individually) all your posts and items you’re tagged in

● Where is that? Click Your Account Photo→ Settings & Privacy → Activity Log → Your
Activity Across Facebook

✅ Review how others can interact and post to your profile

● Where is that? Click Your Account Photo → Settings & Privacy → Settings → Profile
and Tagging → Viewing and Sharing

✅ Review who can tag your account in posts and pictures

● Where is that? Click Your Account Photo →Settings & Privacy → Settings → Profile
and Tagging → Tagging

✅ Review who can see the people, Pages, and lists you follow
● Where is that? Click Your Account Photo →Settings & Privacy → Settings →
Followers and Public Content

✅ Review the apps and websites that have access to your account
● Where is that? Click Your Account Photo →Settings & Privacy → Settings → Apps
and Websites

✅ Review Off-Facebook Activity

● Where is that? Click Your Account Photo →Settings & Privacy → Settings →
Accounts Center → Your Information and Permissions → Your Activity Off Meta
Technologies

Any journalist or freelance contributor working in an editorial capacity for a news

organization that is registered as a news Page on Facebook is encouraged to register as
a journalist on Facebook using their personal Facebook account.

Registered journalists will receive stronger security features that further protect their
Facebook and Instagram accounts, and may be eligible for other benefits, such as Blue
Badge verification.

✅ Register for Journalist Facebook Resources

● Where is that? Click Your Account Photo →Settings & Privacy → Settings →
Journalist Resources
 Instagram

✅ ✅ Set a strong, unique password

● Where is that? Click → Settings → Accounts Center → Password and security →
Change password

✅ Enable two-factor authentication

● Where is that? Click → Settings → Accounts Center → Password and security →

😐 😀
Two-Factor Authentication
● What are my options? SMS and Authenticator app

✅ Review where you are logged in and revoke unfamiliar sessions

● Where is that? Click → Settings → Accounts Center → Password and security →
Where you’re logged in

✅ Remove any uploaded contacts and disable contact sync.

● Where is that? Click → Settings → Accounts Center → Your information and
permissions → Manage contacts
● Turning off syncing is only available on the Instagram app for Android and iPhone. To
prevent contacts from periodically being re-uploaded, turn off contact syncing in
your settings on all devices logged into Instagram.

✅ Set account to private (If not being used in a professional manner)

● Where is that? Click → Settings → Account Privacy

✅ Revoke unauthorized applications that are linked to your account

● Where is that? Click → Settings → Website Permissions → Apps and Websites

✅ Turn off similar account suggestions

● Where is that? Click → Settings → Edit Profile

The following settings are not available in the mobile app. Log into instagram.com from
your computer or your phone's browser.

✅ Revoke unauthorized applications that are linked to your account

 ● Where is that? Click on your profile icon in the top right corner → Edit Profile → Apps
and Websites.

✅ Turn off similar account suggestions

● Where is that? Click in the top right corner → Edit Profile → Similar Account
Suggestions

Security Checkup
If Instagram detects a suspicious login on your account, a prompt will guide you through the
steps needed to re-secure your profiles. This includes checking recent login activity,
reviewing profile information, confirming the accounts that share login information, and
updating the account’s recovery contact information such as phone number or emails in
order to reset a hacker’s actions.

Threads

Threads, the latest social media platform from Meta, is a place to share text-based updates
and join public conversations. Threads presents and functions very similarly to its
competitor, Twitter, in that you can like, repost, and quote posts shared by other accounts.
Note that in order to create a Threads account it is a requirement to first create an
Instagram account. Once your Threads account is created, it cannot be deleted unless
you also delete your Instagram.

Threads will utilize your Instagram login credentials and other pieces of information to
create your account. You can choose to either import the accounts you follow from
Instagram or manually follow accounts as you go.

Threads is another entry into the federated social media landscape colloquially referred to
as the “Fediverse.” This means that it is built on an interoperable protocol that will allow
accounts hosted on platforms and servers outside of Meta’s purview to view your posts if
public. Additionally, if you post on these “outside platforms” via Threads and later choose to
delete this post off of your Threads account, Meta can only request to have them deleted
elsewhere.

Be aware that some account security and privacy settings will be applied to both Threads
and Instagram accounts when configured. Once you select an option below the “Other
account settings” disclaimer you will be routed to the “Meta Account Center”. Here you
will be able to edit settings for Instagram (which affects Threads) as well as Facebook.

✅ Set a strong, unique password

● Where is that? From your profile and tap in the top right corner → Account→
Security → Change Password

✅ Enable two-factor authentication

● Where is that? From your profile and tap in the top right corner → Account→

😐 😀
Security → Two-factor authentication
● What are my options? SMS and Authenticator app

✅ Review where you are logged in and revoke unfamiliar sessions

● Where is that? From your profile and tap in the top right corner → Account→
Security → Where you’re logged in

✅ Remove any uploaded contacts and disable contact sync

● Where is that? In Instagram: Tap in the top right corner→Settings and Privacy →
Account Center→ Your information and permissions→Upload Contacts

✅ Set account to private (If not being used in a professional manner)

 ● Where is that? From your profile and tap in the top right corner → Privacy→
Private profile

The following settings are not available in the mobile app. Log into instagram.com from
your computer or your phone's browser.

✅ Revoke unauthorized applications that are linked to your account

● Where is that? Click on your profile icon in the top right corner → Edit Profile → Apps
and Websites.

✅ Turn off similar account suggestions

● Where is that? Click in the top right corner → Edit Profile → Similar Account
Suggestions

X (formerly known as Twitter)

✅ Set a strong, unique password
● Where is that? Tap More on the left side → Settings and privacy → Your account →
Change your password

✅ Enable two-factor authentication

● Where is that? Tap More on the left side → Settings and privacy → Security and
account access → Security → Two-factor authentication
● What are my options? Authenticator App or Security Key
○ NOTE: X no longer supports text message-based 2FA for non-X Blue
accounts. Please take a look at our guides for setting up the authenticator
app on individual and shared company X accounts.

✅ Review where you are logged in and revoke unfamiliar sessions

● Where is that? Tap More on the left side → Settings and privacy → Security and
account access → Apps and sessions → Sessions

✅ Revoke unauthorized applications that are linked to your account

● Where is that? Tap More on the left side → Settings and privacy → Security and
account access → Apps and sessions → Connected apps

✅ Enable password reset protection

 ● Where is that? Tap More on the left side → Settings and privacy → Security and
account access → Security → Password reset protect

✅ Edit who can look up your profile using your email or phone number
● Where is that? Tap More on the left side → Settings and privacy → Privacy and safety
→ Discoverability and contacts

✅ Disable location information on Tweets

● Where is that? Tap More on the left side → Settings and privacy → Privacy and safety
→ Location information

✅ Disable photo tagging

● Where is that? Tap More on the left side → Settings and privacy → Privacy and safety
→ Audience, media and tagging

LinkedIn

✅ Set a strong, unique password

● Where is that? Click on → Settings & Privacy → Sign in & Security → Account
Access → Change password

✅ Enable two-factor authentication

● Where is that? Click on → Settings & Privacy → Sign in & Security → Account

😐 😀
Access → Two-step verification
● What are my options? SMS or Authenticator App

✅ Review where you are logged in and revoke unfamiliar sessions

👉 Where is that? Click on → Settings & Privacy → Account → Where you’re
signed in

✅ Revoke unauthorized applications that are linked to your account

● Where is that? Click on → Settings & Privacy → Account Preferences →
Partners and services

✅ Edit who can look up your profile using your email or phone number
 ● Where is that? Click on → Settings & Privacy → Visibility → Visibility of your
profile & network → Profile discovery using email address, Profile discovery using
phone number

✅ Disable the visibility of your profile to non-Linkedin users

● Where is that? Click on → Settings & Privacy → Visibility → Visibility of your
profile & network → Edit your public profile

✅ Update the visibility of your email address to first degree connections

● Where is that? Click on → Settings & Privacy → Visibility → Visibility of your
profile & network → Who can see or download your email address

✅ Limit who can see your connections

● Where is that? Click on → Settings & Privacy → Visibility → Who can see your
connections

TikTok
✅ Set a strong, unique password
● Where is that? From your profile, tap Settings & Privacy→ Manage Account →
Password

✅ Enable two-step verification

● Where is that? From your profile, tap Settings & Privacy → Security and Login →
2-Step Verification
● What are my options? SMS and email (TikTok requires you to set up both)

✅ Disallow others from downloading your videos

● Where is that? From your profile, tap Settings & Privacy→ Privacy → Safety →
Downloads → turn off

✅ Disable contacts and unsync Facebook friends

● Where is that? From your profile, tap Settings & Privacy → Privacy → Sync
Contacts and Facebook Friends → turn off

✅ View security alerts for any unusual account activity

 ● Where is that? From your profile, tap Settings & Privacy → Security and Login →
Security Alerts

✅ View all devices logged into your account and revoke any suspicious sessions
● Where is that? From your profile, tap Settings & Privacy → Security and Login →
Manage Devices → delete any unfamiliar devices

✅ If it’s a personal account, set account to private

● Where is that? From your profile, tap Settings & Privacy → Privacy → Private
Account

✅ Turn off account suggestions for others

● Where is that? From your profile, tap Settings & Privacy → Privacy → Suggest
Your Account to Others

✅ Enable additional privacy controls for who can comment on your videos, mention you
and see that you’ve viewed another profile

● Where is that? From your profile, tap Settings & Privacy→ Privacy → Safety
○ → Comments
○ → Mentions
○ → Following
○ → Duet
○ → Stitch
○ → Liked videos
○ → Direct messages
○ → Profile views

✅ Remove connected third-party apps

● Where is that? From your profile, tap Settings & Privacy → Security & Login →
Manage App Permissions

Venmo
✅ Set a strong, unique password
 ● Where is that? Tap Me in bottom right corner → tap in top right corner (scroll
down to Security) → Change Password

✅ Enable Touch ID & PIN

● Where is that? Tap Me in bottom right corner → tap in top right corner→ Touch
ID & PIN

✅ Make future transactions private

● Where is that? Tap Me in bottom right corner → tap in top right corner→ Privacy
→ Default Privacy Settings → select Private

✅ Set all past transactions to private

● Where is that? Tap Me in bottom right corner → tap in top right corner→ Privacy
(scroll down to More)→ Past Transactions → select Change All to Private

✅ Remove devices that you no longer want Venmo to remember

● Where is that? Tap Me in bottom right corner → tap in top right corner →
Security → Remembered Devices → Other Devices → remove any unfamiliar or old
devices

✅ Make your friends list private

● Where is that? Tap Me in bottom right corner → tap in top right corner→ Privacy
(scroll down to More) → Friends List → select Private

✅ Turn on notifications for payments so you’re alerted to any fraudulent activity

● Where is that? Tap Me in bottom right corner → tap in top right corner→
Notifications → select push or text notifications → enable Payment Sent

✅ Turn on notifications for logins from other devices

● Where is that? Tap Me in bottom right corner → tap in top right corner→
Notifications → select email notifications → enable Login Attempted

Reddit

✅ Set a strong, unique password

 ● Where is that? User Settings → Account → Change Password

✅ Enable two-factor authentication

● What are my options? 😐 SMS or 😀 Authenticator App
● Where is that? User Settings → Safety & Privacy → Two-factor Authentication

✅ Revoke unauthorized applications that are linked to your account

● Where is that? User Settings → Safety & Privacy → Manage third-party app
authorization

✅ Disable logging of outbound clicks

● Where is that? User Settings → Safety & Privacy → Toggle off Personalize all of
Reddit based on the outbound links you click on

✅ Disable search engine indexing

● Where is that? User Settings → Safety & Privacy → Toggle off Show up in search
results

✅ Disable content visibility

● Where is that? User Settings → Profile → Toggle off Content Visibility

✅ Remove which communities you are active in from your profile

● Where is that? User Settings → Profile → Toggle off Active in communities visibility

Clubhouse
✅ Use a virtual number during account creation
● Where is that? Create a Google Voice number to do this.

✅ Don’t share contacts during account creation

● Where is that? During account set up, select Skip when Clubhoues asks to access
your contacts

✅ Unlink your associated social media accounts

● Where is that? Settings → Select your name → Select Unlink Twitter or Unlink
Instagram

✅ Deactivate account
● Where is that? Settings → Select your name → Deactive Account
 Keep in mind that Clubhouse is not end-to-end encrypted. You should assume that all
conversations (even private chats) could be made public, and not use Clubhouse for
sensitive communications.

Mastodon
✅ Set a strong, unique password
● Where is that? Settings → Edit Profile → Account → Change Password

✅ Enable two-factor authentication

● Where is that? Settings → Edit Profile → Account → Two-factor Auth

✅ Confirm you’re following legitimate accounts

● Where is that? Navigate to the user’s profile → look for a green checkmark that
verifies external links in the user’s profile (web, podcast, Twitter, etc.)

✅ Verify your account

● Where is that? Settings → Edit Profile → Appearance → include links to your
site/podcast/Twitter → once Mastodon verifies these, you’ll see a green checkmark
next to the link in your profile

✅ Determine the publishing level of your posts

● Mastodon has a few different feed privacy settings (referred to as “Circle”): public,
unlisted (meaning publicly available but won’t appear in the Mastodon timeline),
followers-only, and direct (meaning visible to only the people mentioned)
● Where is that? Settings → Edit Profile → Preferences → Post Privacy

✅ Keep your Mastodon account private

● Where is that? Settings → Edit Profile → Lock account

✅ Prevent search engines from linking to your account

● Where is that? Settings → Preferences→ Opt-out of search engine indexing

DMs in Mastodon
Direct messages (DMs) are not encrypted, meaning they’re stored in plaintext on the
Mastodon server. This means these messages could be read by the server administrators
and stored on multiple Mastodon servers. You should not use Mastodon to send sensitive
information.

If you mention another Mastodon user in a DM with someone else, the person you “@” will
also see a copy of that message. Essentially, if you mention another user via DM, you’re
automatically including them in the conversation.

Bluesky Social

Note: Bluesky is a decentralized social media platform. We will post more updates to this
section as we continue to evaluate the platform.

✅ Set a strong, unique password

● Where is that? Tap Sign in on the login screen → Forgot

✅ Moderate what content appears on your feed

● Where is that? Tap More on the left side → Settings → Content Moderation

✅ Generate unique app passwords when using Bluesky account to sign-in to other
applications. This is a recommended alternative to sharing Bluesky account credentials with
other platforms.
● Where is that? Tap More on the left side → Settings → App passwords

Invitation Codes in Bluesky

Bluesky is an “invitation-only” social media platform. Invitations take the form of registration
codes that are shared to the recipient via email from current Bluesky users. If you do not
have a code you will not be able to create an account. If you receive an invitation you
weren’t expecting, or from a sender you are unfamiliar with, it is best to disregard the
invitation.

Additional Resources
Facebook Help Center
Instagram Help Center
Twitter Help Center
LinkedIn Help
Reddit Help