Mastodon: different social network, additional risks

Mastodon: different social network, additional risks

Mastodon is a social network that’s a few months old and it’s been mentioned on news sites quite a lot recently, leading users to sign up to an instance and check it out.

I have noticed that some of the new people seem to be treating it like any other social network and not realizing that its differences can open up some opportunities that less scrupulous individuals could take advantage of if these new users aren’t aware of the risks.

Mastodon’s decentralization is its key selling point: no one person “owns” the entire network. Anyone can set up a Mastodon server (“instance” in the community parlance) that can communicate with anyone over the entire network. (There are differences: some instances can choose to only allow contact with certain other instances or even no other instances.) In some ways, this is a good thing: the main benefit cited has been a lack of advertising directly from the social network itself, which removes certain threats that have been seen on other social networks – for example, phishing on Twitter via sponsored posts, or malvertising on Facebook leading to tech support scams.


Usernames aren’t unique

However, usernames on Mastodon are not unique across the entire network; only per instance. If you registered as


on the

instance, your full Mastodon username would be

; some other person could register as


on the

instance, and therefore be

. Users are, quite naturally, describing this situation using a comparison with email addresses.

As phishing exists via email, similar attacks could occur on Mastodon, with a malicious user registering on a Mastodon instance with the username of someone on another instance, cloning their profile, and trying to social engineer their followers, for example. Those on another instance will see the full Mastodon username with the instance name, but this can be cut off with usernames that are long enough, on some clients (like the web one). For an example, see the screenshot below, where‘s username is not visible:

There is a way to show the full URL to the user’s profile including their instance: hover over their display name or profile picture – both are links to the profile of a user. Of course, a malicious user could set up an instance of their own with a domain name very similar to an existing instance, so be sure to double check the URL.


No verified accounts

Additionally, due to the decentralization, there is no concept of “verified accounts” like you would find on centralized social networks — however, some Mastodon users have taken to putting green checkmark emojis in their display names as a joke. This means that you cannot trust any corporate account that is in any “mainstream” Mastodon instance. Mastodon being decentralized would instead allow for corporate entities to set up their own Mastodon instances, so their instance name would prove that they are who they say they are – just like a company’s support email address could be email addresses, they could thus have Mastodon accounts of
or Time will tell whether this will actually take place (and this would actually be a good thing as it would allow for companies to own their own social media presence); however, some Mastodon users have suggested that big brands would just do the bare minimum (that is, creating an account on a Mastodon instance that already exists) – this could make their customers more vulnerable to social engineering attempts than they would be otherwise. I would also like to point out that there have been plans mentioned about allowing a user to set a URL and verifying that they control that site via TXT record; however, it is unknown if this will end up getting implemented.


No deleting accounts

Another situation that occurs due to the downside is that you are unable to delete accounts on Mastodon (you can ask your instance administrator to delete your account, but parts of it will remain in other instances). You will also be unable to delete toots that have been federated to other instances. Deleting Mastodon accounts (or federated toots) actually makes no sense due to the decentralization – using the email analogy again, you can change your email address but people you sent emails to will still have messages you previously sent to them. Given that centralized social networks means people seem to have started to forget the rule that “if you post something on the Internet, it stays on the Internet forever” (via people copying to other places), it’s debatable whether this is a good or bad thing. The granular privacy settings on Mastodon means that if you’re worried about this, you can set your toots to never leave the instance you’re on and tell your friends to sign up on the same instance as you.


Mastodon is a style of social network that will be a new idea to many newcomers. It’s still in development, so there’s some missing functionality that can lead to additional risk (and some of that functionality does not make sense to this style of social network, anyway). You will want to be more careful on Mastodon; making a mistake could be more costly there.