Social Media Usage¶
A good rule of thumb for social media is to avoid using it unless you have a good reason to use it (e.g. you're a local business and want to get more customers). In reality, most people will still use it anyway, even though there's no tangible benefit. Should this be the case for you, one of the most important things to remember is to not air out personal dirty laundry. Talking about family disputes and personal issues you have going on give a lot of ammo for a bad actor to use. If this is a must have for your life, I'll cover some strategies here to help avoid OPSEC issues.
Some people say social media isn't real life. While that was the case 15 years ago, it's no longer true. What happens online has a direct effect in the real world for most people. The internet is used to get jobs, talk to people, and do everyday work, to name a few things. Being careless about what you post can have a negative impact on your privacy in real life. One of the most egregious examples I've seen are the list of personal question challenges that people post on Facebook. They'll say what their favorite food is, what their vices are, etc. These are ways hackers farm info from people in what appears to be a harmless manner. This is then used to social engineer attacks against them by answering security questions on accounts as an example.
There's been a long standing conspiracy theory that governments around the world helped fund the social media platforms, as they are some of the best intelligence gathering tools that have ever existed. The theory has some validity. People are willing to talk about every personal matter in their lives freely online to anyone who'll listen, though few rarely consider if the people listening have malicious intent or not.
That said, here's some general mitigation tactics for your social accounts:
Audit the profiles you already have: delete anything you don't use (this process can take several months depending on the platform), and increase security and privacy controls on the ones you want to keep. In general, I recommend always restricting who can see your profile info (who can see your posts, who can tag you, profile indexing in search engines (this is critical), etc) and deleting anything sensitive that the platform doesn't require in order to have an account. 2FA should ALWAYS be used for social media. Some of the worst OPSEC breaches come from social accounts that get hijacked. Keep in mind that strong passwords and 2FA won't protect you against cookie stealers.
Be aware of social engineering attempts: Most social media accounts will allow you to receive DMs from any random person. A good hacker understands psychology and will get the victim to willingly hand over money and sensitive info without installing malware. If you don't already know about cognitive biases, this site will get you up to speed. This could happen a number of ways - urgency, authority, hostile attribution, and rumination are example of biases someone could use against you. If you play the game of a person like this, you have nothing to gain and will eventually lose. Just move on when someone tries to bait you.
Photos and videos can give you grief: both of these media formats store a huge amount of data that isn't known to most people. This includes data such as camera lens model, time of day it was recorded, and the GPS coordinates of where it was taken. This is called EXIF data. To get rid of it, you'll want to use a tool designed specifically for this. I recommend looking at the list on PrivacyGuides. A while back, some platforms started removing this data from uploads due to the security issues it was causing, but it's still a good idea to delete it beforehand to not risk a breach this way.
Social Engineering
Don't lose access to your accounts: This sounds simple, but it's more important than most would think. If you lose access to your account, either through a bad actor or an accident, you should assume you won't get it back. Leo from The PC Security Channel made a YT video a while back which showed a channel with ~300K subs that got taken over by a hacker and was being used to spread malware through links in the description section. If the account owner for a page like that can't get back in, don't plan on ever getting your account back. When you reach out to support, you're talking to an AI chatbot that isn't designed to fix issues like this. If you ever lose access and somehow get your account back, you're one of the lucky few.
Friends/followers list: This is more applicable to a platform like Facebook than one such as Twitter. It's a good idea to keep this list healthy if you're going to be making personal posts. Pay attention to strange posts from your list - this is a common sign their account has been taken over. If there's people you aren't staying in contact with anymore, it's better to remove them, unless you think it could cause a blowout with the person (in that case, not talking with them might be a good idea anyway).
Deleting posts/accounts: The old adage about once something is online, it's there forever, does have some level of truth to it. If you wanted to delete a post from somewhere like Facebook, they might secretly store a copy on a server, but it's still worth it to purge anything you don't want around. If you want to mass delete messages, one app I recommend is Redact.dev. This is an automated way to delete messages if you have a lot of them and doing it manually would take too long. If you're going to delete a social account, keep in mind that some platforms will "archive" it rather than doing a full delete. If you're going to go with an account deletion, remove all your posts/photos/videos from the platform first.
Leaks can happen through people you know: Here's an example - you know someone IRL and you communicate through phone calls/texts. One day, your friend decides to download a social media app like Facebook to their phone. By using the app, they agree to share data such as the contact list stored on their phone. The platforms position this as a convenience option (automatically search for profiles of people on that list based on emails, names, and phone numbers), but this is more data harvesting for the platforms to use for ad targeting. Even if you've never used FB before, the platform now knows your name, number, and any other info your friend saved about you in the contact card.
Ongoing updates: It's important to keep up with changes being made to platforms you're using. With AI becoming the latest big trend, it's being built into all the platforms in a tightly woven way. In 2024, Slack, a business messaging platform, quietly started training AI with customer data. This went over about as well as you can imagine, since many Slack chats had confidential business information that started being used in a way businesses didn't agree to. This is happening across social media to users. I recommend disabling any AI training option if it’s an option for you.