Creating Anonymous Accounts
The fifth of August Twitter can reported An incident impacting some accounts and private information on Twitter. The attack was an enumeration attack, trying known email addresses or phone numbers and twitter was responding with the corresponding account. In the light of this I thought that I would write a small blog post on how you set up a pseudo-anonymous account to protect against this kind of attacks. But important to know if you want to have a higher level of anonymity you will need to do more than these tips I will write about here. This is just a small part of a bigger effort that needs to be done.
So from here we have two things we want to protect our self from.
- From a mail / phone number connected to us we don't want anyone to be able to connect it to our pseudo-anonym account.
- From a mail / phone number connected to our pseudo-anonym account we don't want anyone to be able to link that account to us.
We'll start with the mail part and then later we carry on to the phone part. This guide is for just giving a reasonable secure setup. For good privacy or anonymity then this is just a very small part of what needs to be done to secure your self.
Almost all accounts we use today requires a mail or it uses mail as the username. Only a few services that advertise them selves as a privacy first company, allows account creation without mail needed to create the account.
We want to create an mail account that we can link to our account but not to us as a person. There are a couple routes we can take and they have their own trade offs we need to think about.
Short Lived Mail Addresses
The idea here is that we want to use a service that provides us with a temporary mail that we can use during the registration part. The mail will be active for a few minutes or hours so that we can receive the verification link and finish our setup. When the mail address expires all mails sent to it will disappear into the void.
One service that can be user is 10 minute mail however many more sites that offers the same service exists. Pick the one you trust the most. But as a rule of thumb: "If it is free you are not the customer, you are the product." So depending on your need for privacy then those sites might not be satisfactory.
Using the short live mail addresses is the most secure way to do it but it comes with a few draw backs. If you lose your account either through you have lost your password or it got locked some how (A real risk for large accounts in social media) then the account is gone forever. Gone like dust sucked in a black hole or getting Thanos snapped. If you don't want to risk that then I will take up an alternative solution in the next section.
Setup a new mail
If you don't want to use a short lived mail address due to the risk of losing the account or you don't trust any of those services out there then we can setup a new mail. Gmail, Live, Proton and others. All of those works for this so use which ever suits you the best though if you have a higher need of privacy then maybe choice of the privacy focused ones.
When you have created the new account then you can either throw the password away, but then you will have the same issue as in the Anonymous Mail. Or you can save the password to the mail in a password manager and you will be able to restore your account if necessary. In this case it is important that you will not open mails that you haven't asked for. People can try to deanonymize you trough tracking pixels or tracking links.
Most sites doesn't require you add your phone number so the simplest way to stay safe is to simple not adding a phone number and you can now just skip the phone section completely!
If you need a temporary number for some reason you can uses a short lived number here to just as we did with the mail. If you need a longer lived number then getting a burn phone number is needed. Just pick up the cheapest sim card you can find and use that one. For me the cheapest is prepaid sim cards.
What about SIM MFA?
You are better of using one of the MFA that is not connected to a phone number but instead use an app or a physical token.