Why Your Default Social Media Privacy Settings Are a Security Risk
Every major social media platform ships with settings that favor maximum visibility over personal privacy. Your posts, photos, employer, hometown, and date of birth may be publicly indexed by search engines and accessible to anyone on the internet — including people who want to exploit that information. This social media privacy settings guide gives you a platform-by-platform action plan to close those gaps in under an hour.
The threat is concrete. Cybercriminals, scammers, and identity thieves routinely use Open-Source Intelligence (OSINT) techniques to scrape social profiles for data that fuels targeted attacks. A birthday in your bio, an employer tag, and a childhood hometown visible in your "About" section can be enough to answer security questions, compromise an account recovery flow, or file a fraudulent tax return in your name. Pew Research Center reports that 72% of U.S. adults actively use at least one social media platform — making the aggregate exposure enormous.
If you haven't reviewed your privacy settings since creating your accounts, you are almost certainly sharing far more than you intend. This social media privacy settings guide walks you through what to change and why, covering Facebook, Instagram, LinkedIn, TikTok, and X (formerly Twitter), plus the often-overlooked threats that persist even after you lock down your profiles.
The Social Media Privacy Threat by the Numbers
Pew Research Center, 2024 — creating massive aggregate exposure to OSINT attacks
FTC Consumer Sentinel Network — social media-harvested data fuels many identity fraud cases
Verizon DBIR 2024 — social engineering remains the leading attack vector for targeted individuals
How Attackers Use Your Public Profile Data Against You
Before adjusting settings, it helps to understand what attackers actually do with overshared information. Threat actors who target individuals — for financial fraud, account takeover, or spear-phishing — follow a consistent playbook that starts with passive reconnaissance. They don't need to hack anything. They read your profile.
A public Facebook profile might reveal your full name, date of birth, hometown, relationship status, employer, and school history. LinkedIn adds your job title, reporting structure, and recent projects. Instagram exposes your daily routines, travel patterns, and social circle. TikTok reveals interests, location check-ins, and even voice patterns through videos.
Individually, each piece seems harmless. Combined, they give attackers enough material to answer knowledge-based security questions, craft targeted spear-phishing emails that reference your real employer and colleagues, bypass account recovery processes, and build synthetic identity profiles used in tax identity theft schemes. The MITRE ATT&CK framework classifies this reconnaissance as the first stage of most targeted attacks — meaning every piece of personal data you share publicly lowers the barrier to becoming a victim.
Understanding how your data looks from the outside is the first step in any serious social media privacy settings review. For individuals in high-risk professions, a personal cybersecurity assessment can identify additional exposure points beyond social media that no platform setting can address.
Your Privacy Settings Reset Without Warning
Social media platforms routinely introduce new features with permissive defaults — sometimes after a product update or terms-of-service change that resets your existing preferences. Facebook, Instagram, and TikTok have each been documented rolling back user-configured settings during major app updates. Schedule a semi-annual settings review to catch changes before they expose your data.
Facebook Privacy Settings: The Most Impactful Changes
Facebook offers more granular privacy controls than most platforms, but finding them requires deliberate effort. Start with Settings & Privacy > Privacy Checkup — Facebook's built-in wizard steps you through the highest-priority controls in sequence. This is the fastest entry point for anyone using this social media privacy settings guide for the first time.
Posts and Profile Visibility
Under Settings > Privacy > Your Activity, set "Who can see your future posts?" to Friends. Then use the "Limit Past Posts" tool to retroactively restrict all previous public posts to Friends only. This is a one-way change that cannot be reversed globally, so confirm you've saved anything you want to preserve before running it.
In Settings > Profile and Tagging, turn on tag review so every tag from another user goes into an approval queue before appearing on your timeline. This prevents others from publicly linking you to events or locations without your knowledge — a detail that matters especially for professionals whose employer relationships should not be visible to strangers.
Search Engine Visibility
Under Settings > Privacy > How People Find and Contact You, disable "Do you want search engines outside of Facebook to link to your profile?" This removes your Facebook profile from Google and Bing results over the following weeks. Also change "Who can send you friend requests?" to Friends of friends to reduce exposure to fake and throwaway accounts.
Connected Apps and Websites
Go to Settings > Apps and Websites. Most longtime users will find dozens of applications with active read access they've long forgotten about. Remove anything you don't actively use, and pay particular attention to apps that requested access to your friends list — those frequently harvest social graphs, not just your own data. Phishing campaigns often begin with data harvested from these dormant app connections, giving attackers verified social relationships to exploit in targeted messages.
Facebook Privacy Lockdown: Step-by-Step
Run Privacy Checkup
Go to Settings & Privacy > Privacy Checkup. Facebook's wizard covers the highest-impact controls first — complete every section before making manual changes.
Restrict Past Posts
Under Settings > Privacy > Your Activity, use 'Limit Past Posts' to change all previous public content to Friends only. Run this after completing the Privacy Checkup.
Disable Search Engine Indexing
Under Settings > Privacy > How People Find and Contact You, turn off 'Do you want search engines outside of Facebook to link to your profile?' Allow several weeks for Google/Bing caches to clear.
Enable Tag Review
Under Settings > Profile and Tagging, enable tag review so all tags require your approval before appearing on your timeline. Also restrict who can see tagged posts you're mentioned in.
Audit Connected Apps
Go to Settings > Apps and Websites. Remove all inactive apps. Pay special attention to any with friends list access — these frequently harvest social graph data for targeting and advertising.
Lock Down Your Bio Fields
Edit your profile and set your date of birth, phone number, home city, and relationship status to 'Only Me.' These fields feed directly into OSINT reconnaissance even when your posts are private.
Instagram, LinkedIn, TikTok, and X: Platform-Specific Controls
Each platform requires a tailored approach to privacy. The controls below focus on the changes that provide the most protection with minimal impact on functionality. Apply them as a set — leaving one platform open while locking down others gives attackers a side door.
The single most impactful Instagram change is switching from a public account to a private account under Settings > Account Privacy. All future follower requests must be approved before they can view your posts or stories. For existing followers, your content remains visible immediately — this setting only gates new requests going forward.
Beyond that, disable your activity status under Settings > Privacy > Activity Status so others can't see when you're online. In Settings > Privacy > Story, restrict who can reshare your stories and turn off the option allowing others to add your posts to their own. Review connected apps under Settings > Apps and Websites and revoke anything inactive. Instagram's "Close Friends" list lets you share certain content with a vetted subset of followers — useful for professionals who want some personal content visible without broadcasting it to all approved followers.
LinkedIn requires a different balance — you want to be discoverable by legitimate professional contacts, but not expose personal data to bad actors. Go to Settings > Visibility > Profile Viewing Options and set yourself to appear as "LinkedIn member" when browsing other profiles anonymously. This prevents competitors or social engineers from seeing who's researching them.
Under Settings > Visibility > Connections, hide your connections list. A visible network is a ready-made targeting list for anyone impersonating a colleague — a tactic frequently used in business email compromise schemes. Also turn off data sharing with third-party applications under Settings > Data Privacy, and disable the "People also viewed" widget on your profile page. Remove your phone number and personal email from your contact info section entirely — a work email is sufficient for professional discovery.
TikTok
TikTok's algorithm relies heavily on personal data, making privacy settings especially important to review. Switch to a private account under Settings > Privacy > Privacy and safety. Turn off "Suggest your account to others" features that use your phone contacts, Facebook friends, or browsing patterns. Disable location services entirely and review which personal information appears in your bio. TikTok's default settings are among the most permissive of any major platform — treat everything as public until you've explicitly changed it.
TikTok also enables "Personalized ads" by default using data from your device and browsing history outside the app. Under Settings > Privacy > Ads personalization, turn off both on-platform and off-platform data use. This doesn't eliminate ads, but it stops the platform from building a behavioral profile tied to your device's broader activity.
X (formerly Twitter)
In Settings > Privacy and Safety > Audience and Tagging, enable "Protect your posts" to make your account private. Under Settings > Privacy and Safety > Location Information, turn off precise location access and remove stored location data from past posts. X collects granular location data by default — disabling it going forward does not delete historical records, so submit a data deletion request through the platform's privacy settings if past location exposure concerns you.
Also review Settings > Privacy and Safety > Data Sharing and Off-X Activity, which controls whether X tracks your behavior on external websites. Turn off all off-platform data collection. Under Ads preferences, opt out of interest-based and data-partner advertising to reduce the cross-site tracking profile that X maintains on your account.
Third-Party Apps Are a Silent Privacy Drain
Connected applications represent one of the largest blind spots in any social media privacy settings review. When you sign up for a service using "Login with Facebook" or grant an app permission to post on your behalf, that application receives an access token with specific permissions that typically don't expire automatically.
Popular fitness apps, gaming platforms, and productivity tools accumulate these permissions over years. Even if you stop using the service, the app retains the ability to read your profile data, friend lists, and in some cases post content on your behalf. Data brokers specifically target these dormant connections because users forget they exist.
The most dangerous permissions involve friend list access. Apps that can read your social graph often mine that data to build targeting profiles for advertising or sell contact lists to third parties. Games that request friend list access to enable social features frequently retain and monetize that data long after you've deleted the game. This is not a hypothetical: the 2018 Cambridge Analytica incident demonstrated how granted permissions to a third-party quiz app were used to harvest data from 87 million Facebook users without their direct consent.
Beyond social media, this same principle applies to any service where you use a social login. "Sign in with Facebook" and "Sign in with Google" create a single point of failure — if your social account is compromised, every linked service is also at risk. Where possible, create standalone credentials and manage them with a dedicated password manager. For the identity security standard that governs how these flows should work, see NIST SP 800-63B Digital Identity Guidelines.
Bottom Line
Third-party app permissions don't expire automatically. An app you connected to Facebook five years ago may still have read access to your profile and friend list today. Audit connected apps on every platform annually — remove anything you don't actively use, regardless of how trusted the service seemed when you granted access.
Privacy Mistakes That Leave You Exposed After Updating Settings
Reviewing settings once and considering the job done is the most common mistake users make. Social media companies routinely introduce new features with permissive defaults — sometimes tucked behind a notification you dismissed or buried in an updated terms-of-service rollout. Scheduling a semi-annual review, ideally timed around major platform updates, ensures nothing has changed without your knowledge.
Commenting on Public Posts
Your account's privacy settings protect your own posts, not your replies on other people's public content. A comment on a news outlet's post or a public figure's update is visible to anyone who views that thread, regardless of your account's privacy level. Your comment history is accessible to anyone — be deliberate about what you engage with publicly. For professionals whose employers are identifiable from their profile context, a pattern of public comments can reveal political views, personal circumstances, or employer relationships that your locked-down profile deliberately hides.
Neglecting Account Recovery Options
Users who enable strong passwords and multi-factor authentication (MFA) sometimes leave account recovery pointing to an email address they no longer control or a disconnected phone number. Attackers regularly exploit stale recovery options as the path of least resistance — the strongest account password means nothing if recovery routes to an abandoned inbox. Verify your recovery contacts on every social platform at least once per year.
Password Reuse Across Platforms
Password reuse turns a single breach into a cascade of account takeovers. CISA recommends a unique, strong password for every account. Our guide to NIST guidance on credential stuffing explains how attackers automate reuse attacks using breached password lists — meaning if one platform exposes your password, every account sharing it is immediately at risk. A password manager eliminates the friction of maintaining unique credentials across dozens of accounts.
Oversharing in Bio Fields
Even with post visibility locked down, many users leave their full date of birth, current city, employer, and phone number visible in profile bio sections that default to public. These fields feed directly into the OSINT reconnaissance process. Remove or generalize any bio field that isn't professionally necessary — a city region instead of a specific address, a job title instead of a full employer hierarchy. Your date of birth is particularly dangerous: it appears in multiple account recovery flows and is one of the primary identifiers used in financial identity theft.
Advanced Privacy Controls for High-Risk Individuals
Certain professions and personal circumstances require additional privacy measures beyond standard social media controls. Healthcare workers, legal professionals, financial advisors, and public figures face elevated targeting from social engineers and cybercriminals who view professional data as a gateway to client records or sensitive systems.
If you fall into a high-risk category, apply these additional steps alongside the standard social media privacy settings guide: use different names or initials on professional versus personal social platforms, maintain strict separation between work and personal networks, audit tagged photos regularly for embedded location metadata, and monitor your online presence with Google Alerts for your name, employer, and professional credentials appearing in unexpected places.
For professionals handling sensitive client data, additional compliance requirements apply beyond personal social media hygiene. Tax preparers operating under FTC Safeguards Rule requirements must assess personal social media exposure as part of their broader risk management posture. The IRS Written Information Security Plan (WISP) framework for financial professionals extends to the personal device and account practices of anyone with access to client data. Similarly, healthcare providers should review HIPAA cybersecurity requirements that extend to how staff use personal devices and social accounts in ways that could expose protected health information.
Executives and high-net-worth individuals are frequent targets of "whaling" attacks — spear-phishing attempts that use detailed personal information gathered from social media to impersonate attorneys, accountants, or family members. The breach of senior officials' personal email accounts demonstrates that even security-conscious individuals face serious risk from inadequate personal account hygiene. For these individuals, a professional personal cybersecurity review can identify exposure points that automated tools and platform settings alone cannot address.
Securing Your Smartphone to Complement Social Media Privacy
Social media privacy settings work in conjunction with your device security posture. Many social media apps request permissions — microphone, camera, contacts, location — that go well beyond what the app needs to function. On both iOS and Android, you can review and restrict app permissions under Settings > Privacy. This is a necessary companion step to any social media privacy settings review: platform settings control what others see, but device permissions control what the apps themselves collect from your phone.
Location permissions deserve particular attention. Most social media apps default to "Always" location access, meaning they can track your physical location even when the app is closed. Change these to "While Using" or disable them entirely. Instagram, TikTok, and Snapchat all use background location data to serve targeted content and advertising — data that can be exposed if the platform suffers a breach or sells location data to third parties.
For broader smartphone security practices, our guide on securing your smartphone from hackers covers the device-level controls that complement social media privacy settings. Secure messaging apps also reduce the risk that private conversations get exposed through insecure channels — see our comparison of secure messaging apps for personal privacy.
VPN use adds another layer when accessing social media on public networks. Coffee shop Wi-Fi and hotel networks expose unencrypted traffic to anyone on the same network segment. A reputable VPN encrypts your connection between your device and the internet, preventing network-level eavesdropping on your session. Our guide on how to choose a VPN covers what to look for and what to avoid in consumer and professional VPN products.
Data Brokers: The Threat That Persists After You Lock Down Social Media
Even after completing every step in this social media privacy settings guide, your personal information may still be publicly available through data broker databases. Companies like Spokeo, Whitepages, Intelius, and BeenVerified aggregate public records — property records, court filings, voter registrations, and data scraped from social media — and sell access to anyone willing to pay a subscription fee.
Data brokers pull from hundreds of sources, including the very social platforms you're trying to secure. A private Instagram account doesn't prevent a data broker from listing your home address, phone number, and estimated income alongside your publicly visible LinkedIn profile photo. The two exposure vectors are independent — locking one doesn't lock the other.
Most data brokers offer an opt-out process, but these vary significantly by broker and require submitting opt-out requests individually to each company. Some opt-out requests expire after one to two years and require re-submission. The process is time-consuming: there are hundreds of active data broker sites, and manual opt-outs typically cover only the largest. Automated opt-out services exist and provide broader coverage, though results vary by service and broker responsiveness.
The FTC has called for greater transparency and accountability from data brokers, but meaningful federal regulation of the industry remains limited as of 2026. Several states — including California under the California Privacy Rights Act (CPRA) and Virginia under the Consumer Data Protection Act (CDPA) — have enacted opt-out rights for residents that require brokers to honor deletion requests within specific timeframes. Check your state's consumer privacy law to understand what rights apply to you. Taking personal action — opt-outs, privacy settings, and limiting what you share publicly — remains the most reliable defense available to individuals regardless of jurisdiction.
For individuals handling sensitive professional data, the intersection of personal social media exposure and regulatory compliance adds additional urgency. Our guide on personal financial security covers how data broker exposure affects identity theft risk for financial professionals specifically.
Get a Personal Cybersecurity Assessment
A platform-by-platform privacy review is a strong start, but social media is only one exposure surface. Our personal cybersecurity assessment identifies all the gaps — social, device, account, and data broker — in a single review session.
Staying Ahead of Future Privacy Changes
Social media privacy is not a one-time configuration task — it's an ongoing practice. Platforms update their privacy policies, introduce new data-sharing features, and occasionally reset user preferences during major product changes. The most effective approach treats privacy settings as infrastructure that requires regular maintenance, not a one-time setup.
Set a recurring calendar reminder every six months to revisit each platform. When a major platform update ships, check the settings that matter most — post visibility, connected apps, and location permissions — before the notification prompting you to "try new features" creates an opening for permissive defaults. Subscribe to privacy-focused publications or security advisories from organizations like CISA to stay informed when major platforms change their data practices.
For parents, the same social media privacy settings guide principles apply to minor children's accounts, with additional considerations. Most platforms require users to be 13 or older, but age verification is minimal. Platforms including Instagram and TikTok have introduced parental supervision tools that allow account monitoring without requiring access to the child's password — worth enabling for any minors with active accounts. The multi-factor authentication step is especially important for teen accounts, which are disproportionately targeted by account takeover attacks using credential stuffing from gaming platform breaches.
For anyone who has experienced an account compromise, a broader security review is warranted — not just resetting the compromised account's password. Connected apps across all platforms should be audited, recovery contacts verified everywhere, and breach notification services checked to identify what credentials were exposed. Our guide on personal cybersecurity practices covers the full post-compromise recovery checklist.
What This Means for You
Social media privacy is layered: platform settings control post visibility, device permissions control what apps collect, and data broker opt-outs address the information that already exists publicly. All three layers need attention. Completing this social media privacy settings guide — and repeating the review every six months — closes the most common gaps that attackers exploit for identity theft, account takeover, and targeted phishing.
Get Your Free Personal Security Review
Our experts will evaluate your current social media exposure, device security posture, and data broker presence — then give you a prioritized action plan.
Frequently Asked Questions
Review your privacy settings at least every six months — and immediately after any major platform update or product change. Social media companies routinely introduce new features with permissive defaults. A semi-annual review, ideally aligned with your password manager audit, is the minimum cadence to catch changes before they expose your data. Set a calendar reminder so the review doesn't slip.
Switching to a private account means new users must request to follow you before seeing your content — but existing followers retain access immediately. For most personal accounts, this is the right trade-off: you retain your existing audience while stopping public exposure to strangers. For professional creators or businesses that depend on organic discovery, a private account may not be appropriate — focus instead on restricting bio data, disabling off-platform tracking, and auditing connected apps.
Your full date of birth, mother's maiden name, high school name, and childhood hometown are the most dangerous because they appear in common security questions used for account recovery. Combined with your current employer and job title (visible on LinkedIn), this information gives attackers enough material for targeted spear-phishing and account takeover without needing to compromise any system. Remove these from all bio fields or generalize them — use a birth year instead of a full date, a region instead of a specific city.
Each platform has a dedicated section for this: Facebook: Settings & Privacy > Settings > Apps and Websites. Instagram: Settings > Apps and Websites. LinkedIn: Settings > Data Privacy > Other applications. Twitter/X: Settings > Security and Account Access > Apps and Sessions. TikTok: Settings > Privacy > Apps with access. Review each list, remove anything inactive, and pay particular attention to apps with friend list or contacts access — those permissions are the most frequently misused for data harvesting.
It creates a single point of failure. If your Facebook or Google account is compromised, every service you've connected through it becomes accessible without an additional password. The attacker also gets a list of every service you've linked — providing a roadmap to your financial, shopping, and productivity accounts. Where possible, create standalone credentials for important services and manage them with a password manager. Reserve social login for low-stakes services you access infrequently.
You can significantly reduce your data broker presence but not eliminate it entirely. Most major brokers — Spokeo, Whitepages, Intelius, BeenVerified, and others — have opt-out processes, but each requires a separate request. Some opt-outs expire after one to two years and must be re-submitted. Automated opt-out services provide broader coverage, though effectiveness varies. Residents of California, Virginia, and several other states have statutory rights to request deletion under consumer privacy laws, which some brokers must honor within defined timeframes. Check your state's current consumer privacy law for the specific rights available to you.
Act immediately across all connected services, not just the compromised account. First, regain access using account recovery tools and reset your password to something unique. Second, revoke all connected app permissions — an attacker who accessed your account may have granted access to malicious apps. Third, check all other accounts that shared the same password and reset those credentials. Fourth, review your account recovery contacts to ensure the attacker hasn't substituted their own email or phone number. Fifth, enable multi-factor authentication if it wasn't already active. Finally, check breach notification services to identify what other credentials may have been exposed.
They're an important layer, but not sufficient on their own. Social media settings control what you share voluntarily — they don't address information that already exists in data broker databases, public records, or past breaches. A complete personal privacy posture combines platform privacy settings, data broker opt-outs, strong and unique passwords with a password manager, multi-factor authentication on every account, and a personal cybersecurity review to identify any exposure points you've missed. For individuals in high-risk professions, regular monitoring of your name and credentials in breach databases adds another layer of early warning.
Not automatically. Most platforms apply new privacy settings only to future posts — historical content remains at whatever visibility level was set when it was published. Facebook offers a 'Limit Past Posts' tool under Settings > Privacy that retroactively restricts all previously public posts to Friends, but this is a one-way change. Instagram, TikTok, and X do not offer a bulk historical post restriction tool — for those platforms, old public posts remain indexed by search engines until deleted individually or until the account is set to private going forward. Consider periodically auditing and deleting old public posts that contain personal information.
Yes — the trade-offs differ significantly. A personal account benefits from maximum restriction: private profile, limited bio data, no public follower list. A professional account used for networking or content creation needs to balance discoverability with data minimization. For LinkedIn specifically, keep your profile discoverable but remove personal identifiers (phone number, full birthdate, home city) from contact fields; hide your connections list to prevent social graph harvesting; and use a professional email rather than a personal one in your contact info. Never connect personal and professional accounts through social login or cross-posting — keep them as separate identities with separate credentials.
Schedule
Worried about your digital security?
Get a personalized review of your online exposure and protection options.
