Why Your Default Social Media Privacy Settings Are a Problem
Every major social media platform ships with settings that favor maximum visibility over personal privacy. Your posts, photos, employer, hometown, and date of birth may be publicly indexed by search engines and accessible to anyone on the internet — including people who want to exploit that information. This social media privacy settings guide gives you a platform-by-platform action plan to close those gaps in under an hour.
The threat is not abstract. Cybercriminals, scammers, and identity thieves routinely use Open-Source Intelligence (OSINT) techniques to scrape social profiles for data that fuels targeted attacks. A birthday in your bio, an employer tag, and a childhood hometown visible in your "About" section can be enough to answer security questions, compromise an account recovery flow, or file a fraudulent tax return in your name. The Pew Research Center reports that 72% of U.S. adults actively use at least one social media platform — which means the aggregate exposure is enormous.
If you haven't reviewed your privacy settings since creating your accounts, you are almost certainly sharing far more than you intend. The sections below walk you through what to change and why.
Social Media & Identity Risk: By the Numbers
Reported to the FTC by U.S. consumers in 2023 — more than any other initial contact method
FTC Consumer Sentinel Network Data Book 2024
Pew Research Center 2023 — making it the primary digital identity exposure vector for most Americans
How Attackers Use Your Public Profile Data Against You
Before adjusting settings, it helps to understand what attackers actually do with overshared information. Threat actors who target individuals — for financial fraud, account takeover, or spear-phishing — follow a consistent playbook that starts with passive reconnaissance. They don't need to hack anything. They read your profile.
A public Facebook profile might reveal your full name, date of birth, hometown, relationship status, employer, and school history. LinkedIn adds your job title, reporting structure, and recent projects. Instagram exposes your daily routines, travel patterns, and social circle. Individually, each piece seems harmless. Combined, they give attackers enough material to:
- Answer knowledge-based security questions — "What's your mother's maiden name?" is often findable in tagged family photos or comment threads.
- Craft targeted spear-phishing emails — referencing your employer, a manager by name, or a recent work trip you posted about. Learn to recognize these attacks with our guide on how to spot phishing emails.
- Bypass account recovery — combining your phone number with other public data to initiate SIM-swap fraud against your carrier.
- Build synthetic identity profiles — using fragments of your real identity combined with fabricated data to open lines of credit.
According to FTC Consumer Sentinel Network data, social media is now the leading contact method for fraud by total dollar loss. If your profile is public and detailed, you are providing attackers with free reconnaissance. Understanding how your data looks from the outside is the first step — our primer on osint for cybersecurity beginners shows you exactly what an attacker sees when they search your name.
Your 5-Step Social Media Privacy Audit
Inventory Every Account You Own
List every platform where you have an active or dormant account. Dormant accounts with public data and weak passwords are prime targets. Delete accounts you no longer use — deactivating is not enough, as your data remains stored and potentially exposed to future platform breaches.
Set Profile Visibility to Friends or Connections Only
Change your base audience setting from 'Public' to 'Friends' or 'Connections Only' on every active platform. This single change eliminates the most common form of passive social media reconnaissance attackers use against individuals.
Audit and Revoke Third-Party App Access
Navigate to each platform's connected apps section and revoke access for any application you no longer actively use or don't recognize. Many apps retain read access to your profile, contact list, and posts indefinitely after the initial authorization.
Enable Multi-Factor Authentication on All Accounts
Add an authenticator app — not SMS — to every social media account. This prevents account takeover even when your password is compromised. Use a strong, unique password for each platform, stored in a dedicated password manager.
Review Tagged Content and Location History
Enable manual approval for posts and photos others tag you in before they appear on your profile. Disable automatic location tagging on all platforms and review your past check-in history, removing location data from older posts where possible.
Facebook Privacy Settings: The Most Impactful Changes
Facebook offers more granular privacy controls than most platforms, but finding them requires deliberate effort. Start with Settings & Privacy > Privacy Checkup — Facebook's built-in wizard steps you through the highest-priority controls in sequence.
Posts and Profile Visibility
Under Settings > Privacy > Your Activity, set "Who can see your future posts?" to Friends. Then use the "Limit Past Posts" tool to retroactively restrict all previous public posts. This is a one-way change that cannot be reversed globally, so confirm you've saved anything you want to preserve before running it.
In Settings > Profile and Tagging, turn on tag review so every tag from another user goes into an approval queue before appearing on your timeline. This prevents others from publicly linking you to events or locations without your knowledge.
Search Engine Visibility
Under Settings > Privacy > How People Find and Contact You, disable "Do you want search engines outside of Facebook to link to your profile?" This removes your Facebook profile from Google and Bing results over the following weeks. Also change "Who can send you friend requests?" to Friends of friends to reduce exposure to fake and throwaway accounts.
Connected Apps
Go to Settings > Apps and Websites. Most longtime users will find dozens of applications with active read access. Remove anything you don't actively use, and pay particular attention to apps that requested access to your friends list — those frequently harvest social graphs, not just your own data.
Instagram, LinkedIn, and X: Platform-Specific Settings
The single most impactful Instagram change is switching from a public account to a private account under Settings > Account Privacy. All future follower requests must be approved before they can view your posts or stories. For existing followers, your content remains visible immediately — this setting only gates new requests going forward.
Beyond that, disable your activity status under Settings > Privacy > Activity Status so others can't see when you're online. In Settings > Privacy > Story, restrict who can reshare your stories and turn off the option allowing others to add your posts to their own. Review connected apps under Settings > Apps and Websites and revoke anything inactive.
LinkedIn requires a different balance — you want to be discoverable by legitimate professional contacts, but not expose personal data to bad actors. Go to Settings > Visibility > Profile Viewing Options and set yourself to appear as "LinkedIn member" when browsing other profiles anonymously. This prevents competitors or social engineers from seeing who's researching them.
Under Settings > Visibility > Connections, hide your connections list. A visible network is a ready-made targeting list for anyone impersonating a colleague. Also turn off data sharing with third-party applications under Settings > Data Privacy, and disable the "People also viewed" widget on your profile page.
X (formerly Twitter)
In Settings > Privacy and Safety > Audience and Tagging, enable "Protect your posts" to make your account private. Under Settings > Privacy and Safety > Location Information, turn off precise location access and remove stored location data from past posts. X collects granular location data by default — disabling it going forward does not delete historical records, so submit a data deletion request through the platform's privacy settings if past location exposure is a concern.
Six Privacy Controls Every Social Media User Should Enable
Private Account Mode
Switch from public to private on Instagram and X so only approved followers can view your content. Combined with selective follower vetting, this is the most effective single change in any social media privacy settings guide.
Authenticator-Based 2FA
Enable two-factor authentication (2FA) using an authenticator app on every account. SMS-based 2FA is vulnerable to SIM-swap attacks — authenticator apps eliminate that exposure entirely.
Tag Approval Queue
Require manual approval for all posts and photos others tag you in before they appear on your profile. This prevents third parties from publicly associating you with locations or events without your consent.
Block Search Engine Indexing
Disable the setting that allows Google and Bing to index your profile pages. This significantly reduces your discoverable footprint for anyone researching you from outside the platform.
Quarterly App Permission Reviews
Schedule a 10-minute review of connected apps every 90 days. Permissions accumulate silently over years of use. Revoke access for anything you haven't actively used in the past quarter.
Download Your Platform Data
Use each platform's data export tool to see exactly what has been collected about you. This frequently reveals stored location history, off-platform tracking activity, and advertising preference profiles you didn't know existed.
Third-Party Apps Are a Silent Privacy Drain
Quiz tools, photo editors, and social scheduling apps that connect to your accounts often request far more access than their core function requires — including your contact list, direct messages, and friends network. When these apps are sold, acquired, or breached, your data transfers with them. Revoke access for any connected app you haven't used in 90 days, and never authorize apps requesting message or contacts access unless you have a specific, verified need.
Privacy Mistakes That Leave You Exposed After You've Updated Settings
Reviewing settings once and considering the job done is the most common error users make. Social media companies routinely introduce new features with permissive defaults — sometimes tucked behind a notification you dismissed. Schedule a semi-annual settings review, ideally timed around major platform updates, to verify nothing has changed without your knowledge.
Commenting on Public Posts
Your account's privacy settings protect your own posts, not your replies on other people's public content. A comment on a news outlet's post or a public figure's update is visible to anyone, regardless of your account's privacy level. Your comment history is accessible to anyone who views that public thread — be deliberate about what you engage with publicly.
Federating Your Identity Through Social Login
"Sign in with Facebook" and "Sign in with Google" are convenient, but they create a single point of failure. If your social account is compromised, every service linked through that login is also at risk. Where possible, create standalone account credentials and store them in a best password manager for personal use. For the authentication standard that governs how secure identity flows should work, see NIST SP 800-63B Digital Identity Guidelines.
Neglecting Account Recovery Options
Users who enable strong passwords and 2FA sometimes leave account recovery pointing to an email address they no longer control or a disconnected phone number. Attackers regularly exploit stale recovery options as the path of least resistance. Verify your recovery contacts on every social platform at least once per year.
If you have children or teenagers on social media, their exposure is statistically higher — they're more likely to accept unknown connections and share personal information freely. Our guide on online safety for kids covers platform-specific parental controls in detail. For a broader view of your personal data exposure beyond social platforms, identity theft protection services compared can help you decide whether proactive monitoring makes sense for your household.
Want to Know Your Real Digital Exposure?
Bellator Cyber Guard offers a personal digital risk assessment covering social media, data broker sites, and the dark web — with a clear, prioritized action plan to reduce your exposure.
Frequently Asked Questions
Review your settings at minimum twice per year and immediately after any major platform update. Social media companies routinely introduce new features with permissive defaults. Set a recurring calendar reminder every six months to run each platform's built-in privacy checkup tool and verify nothing has changed without your knowledge.
Private account mode restricts your posts and profile to approved followers, but it does not protect comments you leave on public accounts or posts. It also cannot prevent your existing followers from screenshotting and resharing your content. Vet follower requests carefully, and treat every post as potentially permanent regardless of your account setting.
Social login is convenient but creates a single point of failure. If your Facebook or Google account is compromised, every service you've accessed through that login is exposed simultaneously. Social login also shares profile data with the third-party application at sign-in. Where possible, create standalone accounts and use a dedicated password manager to generate strong, unique credentials for each service.
Avoid sharing your full date of birth (especially the year), home address, phone number, or answers to common security questions such as your mother's maiden name, first car, or childhood school. Do not post vacation dates while you're away from home, photos of government ID or financial documents, or real-time location check-ins. Each of these data points is either directly exploitable or can be combined with other public information to enable fraud or account takeover.
Yes — if you accept a connection request from an attacker, they immediately gain access to everything you've set to 'Friends Only.' Social engineers often create convincing fake profiles using photos scraped from real accounts and shared mutual connections. Before accepting any unknown request, verify the person through a separate channel, or decline if you cannot independently confirm the identity.
Each major platform provides a data export tool: on Facebook, go to Settings > Your Facebook Information > Download Your Information. On Instagram, go to Settings > Account > Download Data. On LinkedIn, go to Settings > Data Privacy > Get a copy of your data. On X, go to Settings > Your Account > Download an archive of your data. Review the export carefully — it typically includes location history, off-platform browsing activity tracked via embedded pixels, and detailed advertising interest profiles you did not explicitly create.
Use the platform's account recovery process to regain access as quickly as possible. Once back in, change your password immediately and enable two-factor authentication if it wasn't already active. Revoke all connected third-party app access. Notify your contacts that your account was compromised, since attackers commonly use hijacked accounts to send phishing messages to your network. File a report with the FTC at ReportFraud.ftc.gov and monitor your financial accounts and credit reports for unusual activity in the weeks that follow.
Schedule
Worried about your digital security?
Get a personalized review of your online exposure and protection options.
