Software & Apps

Mastodon Safety: How To Protect Against Security and Privacy Risks

Posted on November 10th, 2022 by

Following billionaire Elon Musk’s recent acquisition of Twitter, some dissatisfied users have begun looking for a new social network to call their home. One network that has been rapidly gaining users is Mastodon.

Mastodon is technically open-source software that enables federated social networks, meaning that one corporation does not have control over the Mastodon network or service. Instead, anyone can operate their own server, called an “instance.”

This is vastly different from virtually all popular social networks today. As such, it presents unique challenges—including some privacy, security, and identity validation issues. Let’s examine some potential concerns and how you can protect yourself.

In this article:

1. Instance admins can see everything, so choose your instance carefully

One of the first things potential Mastodon users need to decide is which instance (server) they want to join. There are lots of them, and it’s outside the scope of this article to help you choose a specific instance. Some will tell you that the instance you choose “doesn’t matter.” However, there are some vitally important considerations to keep in mind when making your choice.

Instance owners and admins know everything about you

Instance operators, and anyone else they entrust as admins, have great power over your use of the network—and your data. They can delete your account at any time. They know your e-mail address. They know your recent IP addresses—which could give away where you live, work, or visit in the real world. And they can see your direct messages; they aren’t encrypted.

Of course, many of the same things could be said about a major social network like Twitter. But at least in the case of a larger network, there are clearly defined rules and standards. There’s an expectation that those rules are supposed to be applied fairly to everyone. With Mastodon instances, it may be one individual making the decisions about whether to enforce the rules and how to treat user data.

Government requests may be handled with less resistance, less transparency

Mastodon instance operators are usually volunteers who spend much of their free time maintaining their instance. Naturally, they may not want to spend a lot of time handling challenges with users.

If they receive requests from their own (or a foreign) government to turn over information about a user, some instance operators will likely comply with little resistance. After all, they’re already giving up a lot of their own personal time already. They’re probably not lawyers. And they probably don’t want to get in trouble for potentially hindering an investigation.

Major social networks, on the other hand, have departments that handle government requests. They’re familiar with the law and know when pushing back may be appropriate. Companies often publish regular reports (e.g. Twitter, Meta, TikTok, LinkedIn) detailing the types of government requests they’ve received, and how often they’ve complied with such requests. It isn’t reasonable to expect that a volunteer Mastodon instance operator will do the same.

It’s also possible that an instance operator could get fooled by a fake government request, and unknowingly send someone’s private information to a malicious party. Again, this is less likely to happen with a major social network that employs teams of expert handlers.

How to protect your privacy from instance admins

Following are some mitigation strategies for the potential concerns listed above.

When you create a Mastodon account, choose an instance operated by someone you know and trust, if possible. At least try to find an instance whose operator seems to have positive qualities that you value.

If you’ve already joined an instance and later decide you don’t trust your instance admin, you can move your account to a different instance. (Check your Settings for details. Go to your instance’s homepage in a browser, and if you can’t find the Settings button, click on “Edit profile” to get there.) Just remember that if you switch instances, you’re now trusting an entirely different person with all of the same personal information.

If you want to try to avoid leaking your IP address to instance admins, use a trusted VPN (for example, Intego Privacy Protection, available for Mac and Windows) and leave it on all the time. You might want to leave your VPN turned on when using other social networks, too.

Since direct messages on Mastodon are not end-to-end encrypted, don’t send private information via DM. Again, this is good advice for any social network; assume that your conversations can been seen by server administrators.

To prevent instance admins from knowing your e-mail address, create a custom forwarding address using Apple’s Hide My Email or DuckDuckGo Privacy Protection.

Which Is Better: Apple’s Hide My Email or DuckDuckGo Email Protection?

2. Mentioning someone in a DM adds them to the conversation

Direct messages on Mastodon are awkwardly designed. Technically, a “direct message” is more like a regular message, but with its privacy set to only the mentioned individuals.

This can be a problem for a variety of reasons. For example, if you’re trying to report abuse to the instance operator, you could unintentionally “out” yourself to the abuser as the person who reported them.

How to avoid adding someone to a Mastodon direct message

Of course, the easiest way to avoid unintentionally mentioning someone is to not type @ followed by their username when composing any message. Make sure that your friends are aware of this “feature, not a bug,” so they don’t drag you into an uncomfortable situation.

And, as mentioned previously, don’t send private information in DMs. In fact, you should really treat “direct messages” on Mastodon as public posts. If you need to have a private conversation with someone, use an encrypted messaging service such as Signal, Threema, or WhatsApp.

5 Encrypted Messaging Apps for Mac, iPhone, and iPad

3. There’s no official “Verified” status on Mastodon (but you can verify yourself)

Next to someone’s name on Mastodon, you might see an icon that looks like the Twitter “blue check,” or Verified status symbol. Remember, Mastodon is really a network of federated instances operated independently from one another. There’s no central verification authority.

If you see a “blue check” after someone’s name, what’s really happened is that their instance has the Twitter Verified symbol as an emoji that anyone can use. On those instances, anyone can add :verified: (or the relevant Markdown name for the emoji) to their own username.

Although it’s fine if someone wants to do this for their own account, people who are new to Mastodon may mistake it for having the same meaning as on Twitter.

How to identify if an account really belongs to someone you know

Don’t trust symbols after someone’s name; there is no official Verified status for Mastodon accounts.

However, there are certain things that users can do to demonstrate that they really are who they claim to be. And, therefore, there are ways that you can confirm their identity.

In most cases, you probably “know” the person from another social media platform, such as Twitter. You can check their profile on that platform to see if they’ve put their Mastodon username, or a link to their account, in a prominent place or in a recent tweet. This has become popular enough recently that there are actually services that will check the accounts of everyone you’re following on Twitter to see if they’ve posted a Mastodon profile in their bio or a pinned tweet. Not everyone does, of course, but it’s one way to find people on Mastodon that you’re following on Twitter. (There’s an automated way to check everyone you follow on Twitter at the same time; see the “Third-party services” section below.)

Verified links can confirm a user’s identity

Another way to confirm if a Mastodon user is really the person you know is to check whether they have verified links in their bio. (This was just recently implemented in the official Mastodon mobile app, so make sure your app is up to date. You can also check for verified links when logged into Mastodon in your browser.) Do you see at least one link preceded with a green check mark next to it, and a green background? And is that linked site actually affiliated with the user? If so, this is reasonably strong* confirmation that the Mastodon user had access to edit that site and embed a verification link into it.

(*I say “reasonably strong” because someone could trick you with a lookalike domain name; for example, apple.com is not the same as appIe.com — one of those has a capital i instead of a lowercase L. Also, due to Mastodon’s federated nature, it’s theoretically possible that someone could host their own Mastodon instance and modify it to falsely verify their own links, at least as far as how it would appear if you viewed their instance in a browser. But, in theory, it should not be possible to spoof site verification on the existing major Mastodon instances.)

Here’s an example of a verified link on my profile, as it would appear if you went to my profile page https://infosec.exchange/@theJoshMeister in a browser.

The blue “Verification check” badge by my name is actually a meaningless icon, but the “green check” by the link in my bio validates my affiliation with that site.

If you own a site or blog and want to verify yourself (if your instance supports this), you can add a link to your Mastodon profile with rel="me" included in the a tag. For example:

<a rel="me" href="https://your.instance/@username">Mastodon</a>

This would add the word “Mastodon” as a link to your profile. Pro tip: A secret alternative is to add a link tag in between the <head> and </head> tags in your site’s HTML code. This option does not include a clickable link to your profile. You might want to do this if you’re just experimenting with Mastodon and don’t want to advertise or link to your account yet. Example code:

<link rel="me" href="https://your.instance/@username">

After you’ve added verification code to your site, here are the steps to get a verified link on your profile:

  1. Log into your Mastodon instance in a browser and then click “Edit profile.”
  2. Under “Profile metadata,” type a short Label (e.g. “My Blog”).
  3. In the Content field, paste the URL of your page that has the embedded verification code.
  4. Click on the “Save Changes” button.

Third-party services that help Mastodon users find those they follow on Twitter

There are two popular Twitter profile-scanning services called Fedifinder and Debirdify. If you grant read-only access to your Twitter account, they can help you find everyone you follow who has a Mastodon username or link in their Twitter bio or a pinned tweet. (After using either service, it’s a good practice to deauthorize its read-only access to your Twitter account here.) If you want others to find you through these services, add your Mastodon username (in the format @[email protected]) or a link to your Mastodon profile, either in your Twitter name, bio, or in a pinned tweet.

A similar but functionally different service that can help you find your Twitter friends is Twitodon. Rather than scanning Twitter bios and pinned tweets for Mastodon usernames or links, it instead checks the accounts you’re following against its own database. If any of your Twitter friends have previously used Twitodon, you’ll get a list of their Mastodon usernames that you can either copy and paste, or export and import into Mastodon. In my experience, although Twitodon produced significantly fewer results than the other two, it also found some connections that the others didn’t. I recommend running Twitodon at least once, which will add your matching Twitter and Mastodon accounts to its database to help others find you—and if you happen to find a few more of your friends through it, that’s a nice bonus. (Again, be sure to deauthorize the service’s read-only access to your Twitter account. You’ll also need to revoke its access to your Mastodon account; see the instructions on Twitodon’s site.)

All three of those services provide the option to export a .csv text file listing the Mastodon usernames. You can optionally import the whole list into your Mastodon account to immediately follow everyone. (To import a list, go into your Mastodon settings in a browser, then click on “Import and export,” then click on Import.) Debirdify also lets you export lists of people you’ve muted or blocked on Twitter, in case you want to import those lists into Mastodon.

Because these services use OAuth to connect to your accounts, you can feel confident that username outputs coming from these services are valid (or, in the case of Twitodon, was valid at the time your friend last used it). One more thing to know: You may want to check back with these services every so often to see if they find new friends who started using Mastodon after the last time you checked. If you follow a lot of people, consider checking weekly during this period of Mastodon’s exponential growth.

Another site that’s worth mentioning is Fedified, which is very different from the services mentioned above. Fedified is simply a list of several hundred people of various degrees of notability, including a few celebrities, whose Mastodon accounts have been confirmed to belong to the Twitter account owner. The list mainly includes people who were either Verified on Twitter before you could pay for Twitter’s blue badge, or people who have at least tens of thousands of Twitter followers and have been mentioned in the media.

Although you can download a subset of the Fedified list as a .csv file, realistically you’ll probably only recognize and want to follow a few people from it. I suggest that you scroll through the list on the Fedified site to look for people you recognize, and copy and paste their usernames into Mastodon to follow them manually.

Individuals listed in Fedified can optionally put a link to fedified.com in their Mastodon profile, and the link will get a green check. Impersonators won’t get a green check when linking to fedified.com. (Beware that someone could potentially register a lookalike Fedified domain to pretend to be on the real list. Ensure that the URL with the green check is actually https://fedified.com and not something else.)

A bit off-topic from verification, but related to finding people to follow: there’s also a Journalists on Mastodon spreadsheet listing over 1,000 people who self-identify as journalists, as well as Academics on Mastodon which links to dozens of lists of people from a wide range of academic disciplines. Note that the people in these lists have not necessarily been independently verified to be who they claim, or to work for the listed organizations. These lists are searchable, so you can try to find journalists or academics related to the topics that interest you.

Watch out for lookalike accounts

One more note on account validation: the same username can be registered on multiple Mastodon instances. It’s certainly possible for someone to register their own username on multiple instances. (In fact, some people actually do this intentionally, for example if they’re trying to decide which Mastodon community they prefer.)

However, it’s also possible that one or more accounts may be an impersonation. So if your friend is, for example, @[email protected], someone who wanted to impersonate them could register @[email protected]. Technically, your username plus the instance domain, with two @ signs, is your complete username on Mastodon. Be cautious about lookalike accounts.

4. Use a unique password and two-factor authentication

When registering an account on any site or service, it’s always wise to use a unique password that you’ve never used before. This means you’ll have a lot of passwords, which is why you should use a trusted password manager protected by one really secure password that you won’t forget.

How to Choose the Right Password Manager for You

Another given when you sign up for any site or service should be to enable two-factor authentication (2FA), if that option is available. This adds an additional layer of protection to make it a bit more difficult for an attacker to get into your account. For Mastodon, here’s how to do it:

  1. Log into your Mastodon instance in a browser (ideally on your Mac or iPad, rather than an iPhone), and then go to Settings. (If you can’t find the Settings button, click on “Edit profile” to get there.)
  2. Click on Account, then click on Two-factor Auth.
  3. From there, you have a couple options. You can choose either “Authenticator app” or “Security keys.” The latter can work with a physical dongle or biometrics (e.g. Touch ID on a Mac keyboard). Authenticator app is easier for anyone to set up, so I’ll explain how to do that. (Note: You can always go back and add a security key as an additional 2FA method layer.)
  4. If you selected “Authenticator app,” you’ll see a QR code and an alphanumerical token. Assuming you’re doing this in a Mac or iPad browser, open your authenticator app on your iPhone (e.g. Google Authenticator, or some password managers). Scan the QR code, or manually type (or copy and paste) the token into your authenticator app. You can set up multiple apps with the same code, if you wish.
  5. Next, your Mastodon instance will ask you to type a six-digit code from your authenticator app to confirm that everything is working, and you’ll be able to start using 2FA.
  6. You’ll also get some one-time use backup codes; you can store these in a safe place in case you ever lose access to your 2FA method, so you won’t be locked out of your account.

Never share your password, your six-digit temporary codes, or your backup codes with anyone. If anyone ever asks you for any of these things, they’re trying to hack your account

Two-factor authentication (2FA) apps for iOS: Which are the best?

5. Don’t deactivate or delete your Twitter account

Some prominent people have recently claimed that they’re done using Twitter and have no plans to return. If you decide to completely quit using Twitter, don’t deactivate or delete your Twitter account. Twitter’s policy is that once you deactivate your account, after a 30-day grace period, the account is deleted permanently—and your username is up for grabs. Anyone else can register your former username. They could impersonate you or create a parody account mocking you. Even if the new account owner doesn’t intend to hijack your identity, other people visiting an old link (or who memorized your old username) might mistakenly think that the new account owner is you.

Deleting your Twitter account: After your 30-day deactivation window, your Twitter account is permanently deleted. When you don’t log into your account during the 30-day window, it lets us know you want to permanently delete your Twitter account. Once your account is deleted, your account is no longer available in our systems. You won’t be able to reactivate your previous account and you won’t have access to any old Tweets. Once your account is deleted after the 30-day deactivation window, your username will be available for registration by other Twitter accounts.

Twitter’s policies allow anyone to reuse a deleted account’s username.

These are some of the things you should know if you’re thinking about using (or already use) Mastodon. Please share a link to this article with your friends on Twitter and Mastodon to help ensure they’re aware of these important security tips. And feel free to follow @[email protected] and @[email protected], if you’d like.

Got any additional tips related to Mastodon security, privacy, and identity verification? Share them in the comments below.

How can I learn more?

Each week on the Intego Mac Podcast, Intego’s Mac security experts discuss the latest Apple news, security and privacy stories, and offer practical advice on getting the most out of your Apple devices. Be sure to follow the podcast to make sure you don’t miss any episodes.

You can also subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for the latest Apple security and privacy news. And don’t forget to follow Intego on your favorite social media channels: Follow Intego on Twitter Follow Intego on Facebook Follow Intego on YouTube Follow Intego on Pinterest Follow Intego on LinkedIn Follow Intego on Instagram Follow the Intego Mac Podcast on Apple Podcasts

About Joshua Long

Joshua Long (@theJoshMeister), Intego's Chief Security Analyst, is a renowned security researcher, writer, and public speaker. Josh has a master's degree in IT concentrating in Internet Security and has taken doctorate-level coursework in Information Security. Apple has publicly acknowledged Josh for discovering an Apple ID authentication vulnerability. Josh has conducted cybersecurity research for more than 20 years, which has often been featured by major news outlets worldwide. Look for more of Josh's articles at security.thejoshmeister.com and follow him on Twitter. View all posts by Joshua Long →