After a data breach, the most critical Twitter (now X) privacy settings to change immediately are enabling two-factor authentication via an authenticator app, protecting your posts from public view, restricting direct messages, and disabling data sharing for personalized ads. These four changes address the primary attack vectors that criminals exploit when breach data circulates online. For example, if your email address was exposed in the January 2023 Twitter breach affecting 209 million users, attackers can now cross-reference that with your profile information from the March 2025 leak to craft highly convincing phishing messages that reference your real name, location, and interests. The urgency of these settings has intensified following what may be the second-largest data breach in history.
On March 28, 2025, a user posted a 400GB dataset on BreachForums containing approximately 2.8 billion Twitter/X user profiles, allegedly extracted by a disgruntled employee during mass layoffs. While no passwords or financial data were included, the exposed information includes account creation dates, user IDs, screen names, profile descriptions, URLs, location settings, display names, and follower counts. As of April 1, 2025, X has not officially acknowledged this breach. This article walks through every privacy setting you should adjust after a breach, explains why each matters, and highlights the limitations of what these settings can actually protect. We will also cover the differences between authentication methods, what data remains permanently public regardless of your settings, and how to monitor for signs that your account has been compromised.
Table of Contents
- What Are the First Privacy Settings to Change After a Twitter Data Breach?
- Understanding What Data Remains Public on X Regardless of Settings
- Protecting Your Posts and Limiting Who Can Contact You
- Disabling Data Sharing and Personalization Features
- Monitoring Your Account for Signs of Compromise
- What the March 2025 Breach Means for Long-Term Privacy on X
- Conclusion
What Are the First Privacy Settings to Change After a Twitter Data Breach?
The first setting to change is your password, even if passwords were not part of the leaked data. Breaches often correlate with credential stuffing attacks where criminals test username and password combinations from other breaches against your Twitter account. Use a password manager to generate a random passphrase of at least 16 characters that you have never used anywhere else. If you have been reusing your Twitter password on other sites, change those as well. Immediately after changing your password, enable two-factor authentication through an authenticator app such as Google Authenticator, Authy, Duo Mobile, or 1Password. This setting lives under Settings, then Security and account access, then Security, then Two-factor authentication.
The authenticator app option is available to all users, while SMS-based 2FA has been restricted to X Premium subscribers since March 20, 2023. This restriction actually works in your favor since SMS authentication is vulnerable to SIM-swapping attacks where criminals convince your phone carrier to transfer your number to their device. Review your active sessions and connected apps before doing anything else. Navigate to Settings, then Security and account access, then Apps and sessions. Revoke access for any devices or applications you do not recognize. Attackers who obtained access before you changed your password may have authorized persistent sessions that remain valid even after a password change. A comparison worth noting: revoking a session forces re-authentication, while revoking an app permanently removes its access until you explicitly reauthorize it.
Understanding What Data Remains Public on X Regardless of Settings
No privacy setting on X can protect information that the platform treats as inherently public. Your profile name, profile picture, biography, and location field are visible to anyone whether or not they have a Twitter account. This design choice means that the 2.8 billion profiles leaked in March 2025 contain information that was technically accessible to anyone with a web scraper, though the aggregation of this data into a searchable database creates risks that did not exist when the information was scattered across individual profiles. The leaked dataset reportedly includes account creation dates, user IDs, screen names, profile descriptions, URLs, location and time zone settings, display names, and follower counts. Even if you lock your account today, this historical data remains in the leaked files. However, you can limit future exposure by removing or falsifying optional profile fields. Consider whether you actually need your real location displayed, whether your biography reveals information useful to social engineers, and whether your profile URL links to other accounts that could be targeted. A critical limitation: the March 2025 leak was merged with data from the January 2023 breach, creating a 34GB CSV file with 201,186,753 entries that includes email addresses. Email addresses are not visible on your public profile, but they were exposed through an API vulnerability exploited in 2022. This combination of your public profile data with your private email address is what makes the merged dataset particularly dangerous for phishing attacks. ## How to Enable Two-Factor Authentication the Right Way X offers three two-factor authentication methods, and choosing the right one matters more than simply having 2FA enabled.
The authentication app method generates time-based codes that change every 30 seconds and works even when you have no cellular service. Security keys, such as YubiKey devices, provide the strongest protection because they require physical possession and are immune to phishing since they verify the actual domain you are logging into. To enable 2FA via authenticator app, navigate to Settings, then Security and account access, then Security, then Two-factor authentication, then Authentication app. You will scan a QR code with your authenticator app, then enter the six-digit code to confirm the connection. When you complete this process on the iOS or Android app, backup codes are automatically generated. Store these backup codes in your password manager or print them and keep them somewhere secure. If you lose access to your authenticator app without backup codes, recovering your account becomes significantly more difficult. The tradeoff between security keys and authenticator apps comes down to convenience versus protection. Security keys can be used as your sole authentication method, eliminating the possibility of code interception entirely. However, you need the physical key every time you log in from a new device, which becomes problematic if you travel frequently or misplace the key. Authenticator apps work on any device where you have the app installed, but they remain theoretically vulnerable to sophisticated malware that could intercept codes in real time. For most users, an authenticator app provides sufficient security, while security keys are worth considering if you are a high-value target such as a journalist, activist, or public figure.
Protecting Your Posts and Limiting Who Can Contact You
The Protect your posts setting restricts your tweets to approved followers only. Navigate to Settings, then privacy and Safety, then Audience, media and tagging, then toggle on Protect your posts. New followers must request approval, and your tweets will not appear in public search results or be visible to non-followers. This setting has a significant limitation: anyone who followed you before you enabled protection retains access to your tweets unless you manually remove them. Direct message settings deserve attention because breach data makes targeted harassment and scam attempts more effective. Under Privacy and Safety, then Direct Messages, you can restrict who can send you messages.
Options include everyone, verified users only, or people you follow. Choosing verified users only blocks many automated scam attempts since verification requires payment and identity confirmation, creating friction for bulk operations. However, this setting also prevents legitimate contacts from reaching you if they are not verified. A practical example of why these settings matter after a breach: suppose an attacker knows from the leaked data that you follow several cryptocurrency accounts and your profile mentions interest in NFTs. They could craft a direct message impersonating a project you follow, referencing specific details that make the scam seem legitimate. Restricting DMs to people you follow or verified users blocks this attack vector entirely. The downside is losing the ability to receive messages from potential employers, collaborators, or sources who find you through your public posts.
Disabling Data Sharing and Personalization Features
X collects extensive data about your behavior and shares it with advertising partners unless you explicitly opt out. Navigate to Settings, then Privacy and Safety, then Data sharing and personalization to review these options. You can disable personalized ads, which stops X from using your activity to show targeted advertisements. You can also disable inferred identity, which prevents X from connecting your activity across devices without your explicit login. The location-based personalization setting is particularly relevant after a breach that exposed location data. Under Privacy and Safety, then Location information, you will find two options: adding location to your posts and personalizing based on places you have been.
Disabling both prevents future location data from being attached to your account, though it does not retroactively remove location information from existing posts or from data already leaked. A warning about what these settings cannot do: disabling data sharing stops future collection but does not delete historical data X has already gathered. To request deletion of historical data, you need to use the separate Your Twitter Data section under Settings and Support, then download your data archive, and then use X’s data deletion request process. Even then, X retains some data for legal and operational purposes. If your goal is to minimize your exposure surface going forward while accepting that past data cannot be fully recovered, adjusting these settings is worthwhile. If you expect complete data erasure, you will be disappointed by the actual capabilities.
Monitoring Your Account for Signs of Compromise
After adjusting your privacy settings, establish a routine for monitoring your account for unauthorized access. The Sessions section under Settings, then Security and account access, then Apps and sessions shows every device currently logged into your account along with approximate location and last active time. Check this weekly in the month following a breach announcement, since attackers may wait before exploiting stolen data to avoid detection during the initial response period.
Watch for email notifications about login attempts from new devices or password reset requests you did not initiate. If you receive these notifications and did not trigger the activity, someone is attempting to access your account. Change your password immediately and revoke all active sessions. Enable login verification emails if you have not already, which sends a notification whenever a new device accesses your account.
What the March 2025 Breach Means for Long-Term Privacy on X
The scale of the March 2025 breach, with 2.8 billion records potentially representing the second-largest data breach in history, suggests that nearly every current and historical Twitter account has been affected. The 335.7 million active users as of January 2025 represent only a fraction of the leaked profiles, which include deleted accounts, suspended accounts, and bot accounts accumulated over X’s entire operational history. For users deciding whether to remain on the platform, the relevant question is not whether your data was leaked but how to minimize the utility of that leaked data to attackers.
The settings described in this article reduce future exposure but cannot undo past exposure. If X’s silence on the breach as of April 1, 2025 concerns you, consider that breach notification requirements vary by jurisdiction and that companies sometimes delay acknowledgment while investigating scope and validity. Regardless of official acknowledgment, treating your data as compromised and acting accordingly is the prudent approach.
Conclusion
Securing your Twitter account after a breach requires immediate action on authentication and ongoing attention to privacy settings. Change your password, enable two-factor authentication via an authenticator app or security key, revoke unrecognized sessions and apps, and then systematically review your privacy settings to protect posts, restrict direct messages, and disable unnecessary data sharing. These steps do not erase data already leaked but significantly reduce the attack surface available to criminals working with that data.
The March 2025 breach allegedly affecting 2.8 billion accounts demonstrates that platform security failures can expose even users who follow best practices. Your responsibility is to minimize the damage from breaches you cannot prevent by ensuring that compromised data cannot easily translate into compromised accounts. Review your settings after every major breach announcement, not just once, since platforms frequently change available options and default configurations.