Mastodon Privacy & Security Guide 2026

Mastodon's decentralized structure gives you more control, but also means privacy depends entirely on which instance you choose and how you configure it.

Key steps to lock down Mastodon in 2026

These are the exact settings to flip today. Each one removes a documented exposure vector that adversaries actively scrape and chain into doxxing, account-takeover, or stalking campaigns.

1. Preferences → Privacy and reach.
2. Make account private and require Follow requests.
3. Disable search engine indexing.
4. Set Posts default visibility to Followers only.
5. Turn off Suggest account to others.
6. Audit your instance's federation list — some instances mirror to less-private servers.
7. Enable two-factor authentication.

Quick checklist

• Profile visibility: Private or friends-only
• Search engine indexing: Off
• Location sharing: Off
• Two-factor authentication: Enabled (authenticator app, not SMS)
• Data partner sharing / personalized ads: Off
• Linked apps + sessions: Audited and revoked where unfamiliar

Why these settings still aren't enough

Even with every Mastodon setting locked down, your data still leaks through three channels these settings can't reach: historical exposures already in breach corpora, third-party scrapers that mirrored your old public data, and people-search aggregators that re-list your details every time you remove them. That's where continuous external monitoring becomes essential.

How Warden extends your Mastodon privacy

Warden by GalaxyWarden scans Mastodon handles across instances and federation logs.

Run a free Warden scan to see exactly what is exposed about you across every platform — not just Mastodon.