You should feel relatively safe to watch and post videos on TikTok, but like with any online service, you’re always at the mercy of hackers.
It’s unfortunate, but anyone can become a target for arbitrary reasons. Maybe your TikTok videos are controversial. Maybe someone has a personal vendetta against you. Maybe your credentials ended up on a brute-force wordlist from a data breach and some black hat randomly picked your account. Maybe you have an in-demand username that somebody wants to steal and sell on an underground market.
While talks of a potential TikTok ban in the U.S. have disappeared, in part because there has been no evidence that it’s a national security risk for Americans, TikTok has had some security vulnerabilities in the past that any app could fall victim to. These have all been patched, and TikTok has recently opened up a bug bounty program for white hat hackers, but new exploits that go unnoticed are sure to pop up in the future. You can be prepared for them if you take the steps necessary to safeguard your account.
While there is no way to make any online account completely hacker-proof, there are a few built-in settings you can tweak on TikTok’s Android and iOS apps to improve your security and protect your account from unwanted malicious attacks. Aside from the built-in security features, there are a few recommendations you should put into practice on your TikTok account — things you should implement across all of your online accounts, not just TikTok.
Your password is the first line of defense against hackers and malware, so the stronger your password is, the better protected you are. It’s easy to reuse passwords online, but if one of the accounts you use the same password for is involved in a data breach, where hackers have leaked usernames and passwords, your other accounts using the same password are compromised — including TikTok.
Instead of reusing a password, you should come up with a unique one for TikTok. As with most secure passwords, it should ideally be 16 characters or more and made up of a combination of letters (uppercase and lowercase), numbers, and symbols. TikTok requires between eight and 20 characters, so maxing out at 20 is a good way to go.
When creating a new password or changing an old one, you should consider all of the following.
- Don’t use a password you’re already using on another account or app.
- Combine uppercase and lowercase letters, numbers, and special symbols (#, $, @, *, &, etc.).
- Use the 20-character maximum password length for TikTok.
- Avoid using dictionary words, common phrases, ordered characters like 1234 and abcd, and typical passwords that appear in leaked word lists in any part of your password.
- Refrain from using personal information that anyone knows about you or can find out about you. Identifying information can be gathered from your phone number, license plate, other social profiles (like Twitter), Exif data hiding in photos, and more.
- Use a password manager to create more random passwords. Your mobile device’s operating system may even have one built-in.
On an iPhone, iCloud Keychain can create and auto-fill strong passwords for you directly from the password field, but it doesn’t work in every app, and TikTok happens to be one of those. You can get around that limitation by using a shortcut like Apple Keychain Password Generator or Generate Password. The latter can be run right from the Share sheet.
On Android, depending on which device you have, you may be able to get a suggested strong password from your keyboard. Most can use Chrome’s autofill feature, which syncs passwords across your Google account. Just tap in the password field, then choose “Use suggested password,” “Suggest strong password,” “Generate Password,” or something along those lines.
If the above password-generating features don’t work out for you, you can always use third-party password managers like LastPass, Keeper Password Manager, and 1Password to not only store your passwords but also generate strong ones.
If TikTok’s databases are ever breached, the strong password you just created may end up on that list, connected to your username. To keep your account protected, change your password regularly, maybe even on schedule. If you’re using one of the password managers mentioned above, it should be a fairly simple task, and you shouldn’t ever have a hard time keeping track of them.
Although a strong password is a good start, two-step verification (2SV) adds another layer of security to your accounts by asking you to prove your identity when logging in from a new or unrecognized device. For TikTok, that means you will receive a verification code via text or email that you need to use to continue signing in.
To turn 2SV on for TikTok in the mobile app, tap “Me” in the toolbar, hit the ellipsis up top, then select “Security and login.”
Next, tap “2-Step verification,” which is set to “Off” by default. Choose between “SMS” or “Email verification,” then tap “Turn on” at the bottom. If you didn’t have a phone number or email address already connected with TikTok, you would be asked for that to finish turning 2SV on.
Two-step verification is now on for TikTok, so anytime you log in to your account from a new or unrecognized device or browser, you’ll also be asked to enter the verification code sent to you via text or email.
With 2SV enabled, the “2-step verification” settings will look different. You can hit “Turn off” to disable it, adjust your SMS or email preferences, use a backup method, and review and manage your list of trusted devices.
Email accounts can easily be hacked, and attackers can utilize SIM swaps, man-in-the-middle phishing attacks, session hijacking, and other exploits to retrieve SMS verification codes. To avoid SIM swapping fraud, set up a PIN for your SIM. Some precautions for avoiding the other attacks include staying off public hotspots, using a strong password on your router and Wi-Fi network, and implementing a virtual private network (VPN).
If you ever get a new phone number, make sure to update your SMS information in the 2SV settings on TikTok so that some stranger isn’t getting your verification texts.
Your login security should be fairly good now, but it’s also important to monitor any unusual activity as a preemptive measure. Fortunately, TikTok makes it easy to review any recent “security events” (as it calls them) and do something about suspicious ones.
Back in the “Security and login” page, tap “Security alerts” to view any recent activity. For example, you may see a recent device login if you’ve logged into your TikTok on another device. You’ll see information regarding what occurred, the device model it happened on, and the date and time it happened. If you don’t recognize the event, tap it and hit “Secure my account” at the bottom.
Depending on the event, the device may be removed from your account, meaning that the device listed will no longer have access to your account. Additionally, TikTok will ask you if you want to reset your password for additional security. If you have no security events, it’ll simply say that your account is secure.
Security isn’t always about unknown devices — sometimes it’s about old devices or devices borrowed from friends or family members. Although the security alerts feature notifies you of strange activity, it won’t let you know about every single device you’ve ever used TikTok on.
So if you’ve logged into TikTok on a smartphone you’ve sold or a tablet you borrowed from a friend and forgot to log out, you can disconnect the device from your TikTok account.
Back in the “Security and login” page, tap “Manage devices” to view every device where your TikTok account is currently logged in. At the top, you’ll see the device you’re currently using. Below that, you can review other devices that may be logged in to your TikTok, as well as the activity and when it occurred.
To log out of a device, tap the trash can icon next to it, then tap “Remove” in the pop-up that appears. As long as the other device is connected to the internet, it will automatically log out of your TikTok account.
By default, TikTok will save your username and password so that if you ever log out, you can easily log back in without having to type in all your credentials. While it saves time when you’re using TikTok on your devices, if you’ve logged into your account on another device and then logged out, there is a chance that the person with that device can still log in to your account.
The last setting in the “Security and login” preferences can prevent that from happening. Toggle off the “Save login info” switch at the bottom of the list, and TikTok will no longer save your credentials. However, be aware that the device itself might attempt to save your credentials, so even if you toggle this setting off, it may still be saved to the device.
Social engineering is alive and well in the cybercriminal world, and phishing attacks are among the many tools of the trade. You may receive texts or emails trying to get you to give up your verification code, so don’t tap any links on those if you haven’t just logged into TikTok on one of your devices.
More commonly, you’ll see phishing links planted in clever-looking emails, on social sites, in booby-trapped text messages, and even on well-crafted websites that will deliver a payload or take you to a malicious webpage that tries to get your credentials from you. Malware installed on your system may even redirect you to a phishing page.
Some of the webpages you’ll be sent to look legit, thanks to tools at hackers’ disposal. A black hat could create a clone of TikTok’s site using software like BlackEye and SocialFish. And the URLs they use could be fairly convincing since they can be made to look like tiktok.com with tiny differences.
For instance, they can add just one letter that you may not see at a glance, replace one letter, omit letters, utilize subdomains, swap vowels, and my favorite, trade real letters for homoglyphs, i.e., use Unicode-encoded characters that look identical to the ASCII equivalents.
Don’t be gullible. Ignore anything that seems out of place, anything you didn’t initiate, and anything that leads to links other than tiktok.com.
I know that I’ve already talked about passwords enough, but I’d like to reiterate the usefulness of password managers. Besides storing and generating passwords for you, using auto-fill with your password manager of choice can help prevent some phishing attacks mentioned above.
Specifically, when a malefactor uses a URL that looks like tiktok.com but isn’t.
Auto-fill will only look for the URL you supplied it when first saving the password, so it’ll be able to easily avoid URLs with added, missing, or swapped characters. If auto-fill on your device won’t give you the credentials for TikTok when trying to log in, take a step back and make sure it’s really TikTok you’re trying to access.
If you’ve been hacked, or even if you have the slightest suspicion that something isn’t right with your account, reset your password right away. To do that, head to “Settings and privacy,” then “Manage account.” Tap “Password,” enter your verification code if you have 2SV enabled, then choose another password and make sure to save it in your password manager.
Keep Your Connection Secure Without a Monthly Bill. Get a lifetime subscription to VPN Unlimited for all your devices with a one-time purchase from the new Gadget Hacks Shop, and watch Hulu or Netflix without regional restrictions, increase security when browsing on public networks, and more.
Other worthwhile deals to check out: