A client is concerned that one or more of their accounts might be or might have been compromised and needs basic recommendations on how to secure their online accounts.
Edit me

FAQ - Securing Online Accounts

Basic security advice for mailboxes and accounts on social networking platforms and other online services


Social media is crucial for many human rights activists to share their ideas, communicate with partners, and broadcast news. Their work and popularity can make them targets for hacking and account compromise.

This article focuses primarily on how to secure accounts on the main online services:

  • Google
  • Twitter
  • Facebook

A case may start because:

  • A client has received an unsolicited recovery link
  • There is evidence that the account has been used by unauthorized persons without the owner’s knowledge
  • A client is concerned by attempts at accessing their account from devices they don’t recognize
  • A client is starting a campaign on social networking platforms and would like to prevent attacks against their account

In all such cases, we should work with the client to secure their account and make sure their account(s) cannot be accessed by unauthorized persons.


Add layers of security for greater protection:

  • Help the client to set up two-step verification (also called two-factor authentication)
  • Provide recommendations for privacy and security settings
  • Teach the use of strong passwords and password management
  • Provide recommendations on online identity management

Two-Factor Authentication

For resources and other recommendations on two-factor authentication, see Article #294: Recommendations on Two-Factor Authentication.

Security Checkups

Security and Privacy Resources

Password Creation and Management

Online Identity Management

If the client is starting a campaign from scratch or is managing public accounts for their organization from their personal accounts, and they fear attacks from trolls and mobs, encourage them to create a strategy for securely managing their online identities.

This is particularly required if the client’s focus is on a topic that carries social stigma, like LGBTQ rights, feminist issues, etc.

  1. Send them the guide for researching what can be found on them online: Self-Doxing Guide.
    • If they find results that should be taken down, help them with the takedown requests.
  2. Recommend they separate their personal accounts from their work accounts, possibly using a pseudonym for their private account.
    • This step should include connecting a different email account to their personal and work online accounts.
    • We should recommend they don’t follow their work account from their personal account and vice versa, and they don’t share the same contacts among the different accounts.
    • More information on managing different online accounts can be found in this guide.
  3. If the client’s has state-level adversaries, encourage them to use anonymization tools for creating their most sensitive online accounts, and to separate them as much as possible from their real identity.


If the account is known to be compromised, please see Article #23: FAQ - Account Recovery and Deactivation.

For more tips on Google Drive, see Article #146: Secure File Sharing on Google Drive.