As Elon Musk critics flee from Twitter, Mastodon seems to be the most common replacement. In the last month, the number of monthly active users on Mastodon has rocketed more than threefold, from about 1 million to 3.5 million, while total number of users jumped from about 6.5 million to 8.7 million.
This substantial increase raises important questions about the security of this new platform, and for good reason. Unlike the centralized model of Twitter and virtually every other social media platform, Mastodon is built on a federated model of independent servers, known as instances. In this respect, it’s more akin to email or Internet Relay Chat (IRC), where security depends on the ability and attention of the admin who configured it and maintains each individual server.
The past month has seen the number of instances mushroom from about 11,000 to more than 17,000. The people running these instances are volunteers who may or may not be versed in the nuances of security. The difficulty of configuring and maintaining instances leaves plenty of room for mistakes that can put user passwords, email addresses, and IP addresses at risk of being revealed (more about that later). Twitter security left much to be desired, but at least it had a dedicated staff with a deep background in security.