Is Mastodon a safe and secure alternative to Twitter?

Dozens of new social networks emerge every year, but none of them have been able to topple giants like Facebook, Instagram and LinkedIn.

However, a Twitter alternative called Mastodon has gained traction. But how does Mastodon work? More importantly, is it safe? Is it safer and more private than Twitter?

How does Mastodon work?

Mastodon is a crossover product of Twitter and Discord. Just like Twitter, it is a microblogging platform. But unlike Twitter, it’s decentralized and has hundreds of different servers. These servers usually revolve around a topic (e.g. politics, technology) and are managed by volunteer moderators.

These servers (instances) are categorized by topic, language, geographic region, and so on. Each has its own rules and registration procedures. Users can join as much as they want and follow people in different sections, so they don’t need special permissions to view posts and communicate with others.

Once you’ve signed up for Mastodon (you’ll need a username, a password, and an email address to verify your account), you can edit your profile, change preferences, follow other users, and so on — just like on Twitter.

In short, this is how Mastodon works. It’s a unique social network, but the interface is fairly intuitive, and if you’ve ever used a similar platform, you’ll probably get used to it quickly.


Is Mastodon safe?

Mastodon is free, open source, and available for all popular operating systems. It is crowdfunded and does not contain ads, which is a major advantage over other social networking platforms.

Mastodon’s decentralized, quasi-democratic system is also its weakness. Unlike other social networks, it doesn’t have a large team dealing with cybersecurity, so what it has is a major vulnerability.

When billionaire Elon Musk took control of Twitter in November 2022, Mastodon saw an influx of new users. This has also attracted the attention of the cybersecurity community, with high-profile researchers testing the platform’s vulnerabilities. Some immediately identified major issues that could lead to serious vulnerabilities.

For example, PortSwigger researcher Gareth Heyes discovered an HTML vulnerability that threat actors can exploit to steal users’ credentials, as reported by Security Weekly. Meanwhile, MinIO expert Lenin Alevski discovered a vulnerability that could be exploited to download files shared via private information. Ironically, these two vulnerabilities were discovered on the Infosec. exchange server.

In addition, Anurag Sen, an independent cybersecurity researcher, discovered that an unknown threat actor was scraping data belonging to 150,000 Mastodon users. Before that, penetration tester Joe Helle discovered a flaw that enabled brute force attacks.

To its credit, all of these vulnerabilities were fixed shortly after they were discovered. However, it seems reasonable to assume that more flaws will be found in the future, especially if Mastodon’s user base continues to grow and cybersecurity experts spend more time investigating the platform.

Fortunately, there are a few things individual users can do to protect their accounts. For example, you can create a strong password and enable two-factor authentication, restrict who sees your posts, block domains and users, edit preferences, and more.

Mastodon vs. Twitter: Which platform is more secure?


Twitter launched in 2006, while Mastodon has been around since 2016.

Unsurprisingly, Twitter suffered more security breaches. It suffered a number of early blows, prompting the Federal Trade Commission (FTC) to file charges against the company for failing to secure users’ personal information. The lawsuit was settled in 2010 when Twitter promised a robust security model and agreed to conduct annual audits.

Over the years, hundreds of verified high-profile Twitter accounts have been hacked. Most notably, accounts belonging to former US President Barack Obama, Microsoft founder Bill Gates, and dozens of other high-profile individuals were hacked in 2020 by a threat actor running a cryptocurrency scam. A year later, a similar hack of verified accounts occurred.

In August 2022, Twitter admitted that an update it had launched a year earlier allowed a threat actor to associate email addresses and phone numbers with user accounts. The vulnerability was reported through the company’s bug bounty program in January 2022 and has since been patched.

Is Mastodon More Private?

It’s clear that both Twitter and Mastodon have their own security issues. But what about privacy issues? How much data do these companies collect, and is one worse than the other?

Twitter’s privacy policy says it collects, stores and shares all kinds of personal information. For example, even if you don’t have an account and just browse the website, it collects your data, has access to private information, can view your browsing history, and stores content you’ve deleted.

For Mastodon, the situation is more complicated. Privacy policies vary from server to server. For example, the privacy policy of the instance states that administrators can access private information. So, when you find an interesting server to join, make sure you analyze its privacy policy first.

Overall, Mastodon is better than Twitter when it comes to respecting user privacy, which collects a lot of personal data, mostly for advertising purposes. Precisely because Mastodon doesn’t allow ads, the incentive to collect user data simply doesn’t exist.

Then there is the issue of moderation in speech and content. With Musk at the helm, Twitter seems more willing to relax its once-strict rules. Mastodon, on the other hand, is more restrictive by default – because each server has its own rules, and administrators can impose restrictions as they see fit. They can freeze, restrict, or permanently suspend accounts. In addition, server administrators can ban domain names, email servers, and IP addresses.

Twitter or Mastodon: You can choose

Whether Mastodon will reach Twitter’s popularity remains to be seen, but if its user base continues to grow at a healthy rate in the coming years, it could evolve into a suitable tech giant.

From a cybersecurity perspective, there are some differences between Twitter and Mastodon, but neither platform is truly secure.