Is Bluesky Safe? A Complete Guide to Bluesky Security

Bluesky has rapidly become home to communities of activists, journalists, and tech-savvy users. It’s particularly attractive to anyone seeking alternatives to mainstream social spaces where they can come together, share information, and collaborate on campaigns. 

While not yet as high-profile as X/Twitter, TikTok, or Facebook, the platform has doubled in size over the last year and attracted household names such as Alexandria Ocasio-Cortez, Mark Hamill, George Takei, and Stephen King. Reputable news outlets like NPR, the New York Times, and the Guardian have also opened accounts on the network. 

But as organizations begin to explore this new frontier, one question should dominate boardroom discussions: Is Bluesky safe for business? Read on to find out why the platform presents a risk and discover how to make it a safer place for your organization.

What is Bluesky?

Bluesky (also known as Bsky) is an up-and-coming social media platform that works like X/Twitter but aims to give users more control. Like other social networks, members can post short messages, share photos and videos, and interact with others, but with two key differences: users get to decide how their feed works and who moderates their content.

Bluesky began in 2019 as a research project inside Twitter when it was run by Jack Dorsey. The goal was to explore ways to decentralize social media and move control out of the hands of tech giants. Prompted by Elon Musk’s take-over of Twitter, Bluesky split off in 2021 to become an independent Public Benefit Corporation. It launched as an invite-only platform in February 2023 and opened to the wider public in early 2024.

What Makes Bluesky Different?

Bluesky offers several features you won't find on most traditional platforms:

• User Autonomy: Users can store their data on their own servers or pick a different host instead of relying on Bluesky.
• Domain Verification: Bluesky allows users who own web domains to verify their identity by modifying DNS records. For example, a publication like the New York Times can establish credibility through its @nytimes.com handle.
• Customizable Algorithm: Instead of being stuck with whatever feed the platform gives them, users can choose from different sorting methods or even build their own.
• Community-Run Moderation: Groups can set up their own content policies and labeling systems, rather than following one set of rules for everyone.
• Starter Packs: New users can follow a whole group of related accounts at once to quickly find their community.

Is Everyone Joining Bluesky?

Growing by around 1 user every five seconds, Bluesky attracts millions of daily active users, mostly a younger, left-leaning, or liberal crowd. With approximately one-third of Bluesky users aged between 18 and 24, and around one-quarter from 25 to 34, users are the exact age group most businesses want to reach.

Much of Bluesky's initial growth came from people leaving X following Musk’s purchase, citing problems like poor moderation, more extreme content, harassment, and disagreements with how the billionaire runs the platform. 

User numbers grew dramatically after the 2024 U.S. presidential election, with the fledgling platform adding 13 million users in just six weeks. By mid-November 2024, it had over 20 million users, reaching 30 million by January 2025. By Fall 2025, the number of users exceeded 40 million for the first time.

Yet, Bluesky’s security and moderation capabilities haven't evolved to keep up with its exploding user base, creating weaknesses that bad actors are enthusiastically embracing.

"It's the Wild West because it's so new,” warns Kelly Kuebelbeck, Senior Product Marketing Manager at ZeroFox. 

“And that means that it's a playground for criminals as well."

Bluesky's Decentralized Architecture: How Bluesky Works

Bluesky runs on the AT Protocol (or Atmosphere Protocol), a framework that lets different servers and apps talk to each other. While the platform markets itself as decentralized, the reality is more nuanced, combining partial decentralization with centralized authentication transfer protocols. 

The modular design is intended to solve several controversies with traditional social media: who owns user data, whether platforms can work together, and how much control users have. And as the protocol is open source, anyone can find out how it works and build apps that connect to it and the broader ecosystem. But all of these features also create unique vulnerabilities. 

Is Bluesky Safe? Bluesky Privacy and Security Overview

As an emerging player in the social media space, the question of Bluesky security is one that has real implications for businesses and individuals alike. 

Let’s take a closer look at Bluesky platform safety. 

How Secure is Bluesky?

The decentralized model and modest attitude to security might align with Bluesky's optimistic philosophy, but it leaves businesses exposed to risks. Companies establishing a presence on the platform should recognize the following limitations when assessing reputational risks:

Is Bluesky Safe from AI?

Organizations cannot assume their public communications remain under their control once posted to Bluesky. The platform's publicly accessible open Firehose API data feed aims at transparency, but it also creates an environment where bulk harvesting of user content is not just possible but surprisingly straightforward. 

Third-party actors can use it to scrape data, monitor conversations, and identify targets. Many users were shocked when researchers easily extracted over one million posts, including text content, metadata, and information about reply relationships and media attachments. 

Adding to these concerns, Bluesky currently offers no end-to-end encryption for direct messages, leaving private communications vulnerable to interception and exploitation.

Distributed Infrastructure Challenges

While the federated model offers freedom to users, it means Bluesky security responsibilities are delegated to multiple independent operators, creating an uneven protection landscape. Each server operator must be trusted to maintain their own security standards, resulting in data protection quality varying significantly across the network. 

Such fragmentation particularly affects data removal requests, as information deleted from one server may remain indefinitely on others, creating compliance challenges for organizations subject to data protection regulations.

Automated Account and Content Control Issues

The platform struggles with limiting automated bot accounts and preventing coordinated inauthentic behavior. Current detection mechanisms haven't scaled effectively with user growth, allowing problematic accounts to operate with only minor friction. This creates a fertile environment for the rapid spread of false information and makes brand protection more resource-intensive for organizations interested in optimizing their presence and mentions.

Enforcement and Governance Inconsistencies

While Bluesky does have centralized content oversight, it’s still a work in progress. So organizations accustomed to dominant platforms like Facebook or X (formerly Twitter) should not expect the same level of uniformity. Policy enforcement for issues such as harassment, impersonation, intellectual property misuse, or other violations can vary across the network. 

As a result, corporate users may need to take a more active role in monitoring and addressing risks that would typically be managed through mature, platform-wide governance on older social networks.

Authentication and Identity Management Limitations

Bluesky uses a simple authentication model; anyone can create an account with just an email address, much like other major social networks. While this makes onboarding quick, it also means the platform does not incorporate strong identity verification at the point of sign-up. 

"Because Bluesky’s verification systems are still evolving, the platform can be more vulnerable to impersonation compared to more mature networks,” says Alfredo Lavarello, a ZeroFox Product Manager focused on social media protection. 

“Domain-verified handles exist but aren’t yet widely adopted, automated lookalike detection is still limited, and its trust-and-safety infrastructure continues to develop as the platform grows.”

“Established platforms like Facebook have stronger authentication layers and automated detection systems that make impersonation harder. Bluesky is still in the process of building similar protections.”

This means anyone can set up an account claiming to represent any company, opening the door to bad actors producing convincing replicas of brand accounts and executive profiles. 

Impersonators simply create accounts with slight variations in display names on the standard .bsky.social domain to spread misinformation, target unsuspecting customers with fraud and scams, and deploy sophisticated phishing attacks.

Bluesky Scams and Misinformation

Cornell Tech research revealed that 44 percent of the top 100 most-followed Bluesky accounts had at least one impersonator associated with them, many of which are used to push bogus cryptocurrency giveaways, fake wallet setup guides, or elaborate cloud mining fraud schemes. High-profile targets have included New York Times tech journalist Sheera Frankel, Wired reporter Will Knight, and Canadian technology journalist Paris Marx.

Bluesky impersonators only add to the growing problem of deepfakes, with security researchers documenting 179 deepfake incidents targeting public figures and organizations across emerging platforms in the first quarter of 2025 alone. The latest deepfake threats aren't simple photo manipulations, but sophisticated synthetic media campaigns that combine AI-generated content with social engineering to create highly convincing deceptions. Total losses associated with deepfake campaigns have now risen to $1.56 billion.

Bluesky has even been leveraged for the kind of large-scale geopolitical manipulation intended to weaken entire countries. 

In early 2025, investigations by AFP revealed Bluesky accounts characterized as pro-Russian "bots” using "Matryoshka" posts to attack media and imitate news outlets. They even used AI to create deepfakes of academics and universities. 

Soon after, malicious actors launched Operation Overload on Bluesky, opening fake accounts to spread Kremlin-aligned disinformation to international audiences, apparently aiming to undermine political stability. 

A key tactic of the 283 accounts analyzed was impersonation: nearly 95% of the accounts used media-themed branding, with many impersonating journalists or high-profile figures using stolen photos and fake affiliations to reputable organizations like Politico or the BBC. Some profiles posed as journalists, while others mimicked high-profile individuals like Finnish President Sauli Niiniistö.

The operation spread disinformation such as AI-generated images depicting dystopian scenes, negative portrayals of political leaders, and manipulated videos. The strategy exploited the niche interests of Bluesky users and successfully seeded false narratives on the platform.

Following these campaigns, the platform announced stricter impersonation policies and new rules for parody accounts, but implementation remains inconsistent and enforcement sporadic. Bluesky also introduced a verification process involving identity checks and badges. However, it remains to be seen if these measures can keep pace with the continuing expansion of the platform. 

Current identity verification relies on email-based two-factor authentication (2FA), without support for more robust methods like authenticator apps or hardware tokens. The system for managing usernames also creates opportunities for bad actors to take over abandoned handles, potentially enabling brand hijacking, impersonations, and identity theft.

Organizations that haven't yet established a presence on Bluesky are particularly vulnerable, as their entire brand identity sits unclaimed and unprotected in this emerging digital space.

"An organization may not have a Bluesky account yet, but that doesn’t prevent someone else from creating one in its name and misusing it,” Lavarello warns.

Inadequate Moderation Resources

The platform's slow buildout of its moderation infrastructure also contributes to its safety challenges. 

With a skeleton crew of only around 100 moderators overseeing millions of daily posts, backlogs are unavoidable, and response times remain slow. 

Misleading content and fake account impersonations can circulate for days or weeks before removal, and the toxic language and terms of service violations that would trigger immediate action on other platforms persist on Bluesky due to these underdeveloped resources. 

Delays also give malicious threat actors ample time to execute and profit from their schemes, whether organizing targeted harassment campaigns, spreading extremist content, or coordinating physical security threats.

The real-world consequences of Bluesky security gaps made the headlines when users organized physical attacks against Tesla cars and their owners. 

"On emerging platforms where moderation workflows are still developing, coordinated or harmful activity can spread more easily before it’s flagged” explains Lavarello. 

“We’ve observed instances where users share content that encourages vandalism or other types of disruptive behavior, particularly during moments of heightened public sentiment.'"

And, as Lavarello notes, there have been other physical security threats: 

“We've seen threats involving violence, arson, shootings, and issues tied to protests.”

Because users could post concerning content with a relatively low likelihood of immediate enforcement, the platform developed a reputation for being more permissive compared to larger networks.

“More established platforms have mature systems for detecting and acting on harmful or coordinated activity,” Lavarello says. 

“Bluesky’s tools are still being refined. In many cases, content may only be reviewed if it’s reported by users or organizations like ours”

Is Bluesky Safer Than Twitter or Facebook?

When comparing Bluesky’s current safety capabilities with those of more mainstream social platforms, the differences largely reflect scale. Companies like Meta and X/Twitter have spent many years building extensive trust-and-safety operations, incorporating robust detection systems and large, dedicated moderation teams. By contrast, Bluesky is still in an early stage of improving its moderation tools and processes.

Staying Safe on Bluesky: Bluesky Security Features Best Practices

Organizations venturing onto Bluesky must adopt a defensive posture from day one. Here are the most essential tips for protecting yourself:

1. Establish your Brand Presence

Every day without an official account is another day competitors or threat actors can claim your brand identity, so establishing a presence should be a top priority, even if you don’t intend to actively engage on the platform. 

1. Use Your Domain for Identity Verification

For organizations with the technical capability, implementing domain-based verification offers some protection against impersonation, though its limitations mean additional protective measures are essential. 

The process requires owning a web domain and modifying DNS records to prove ownership, which then displays as your handle on the platform. While this provides more credibility than an unverified account, it's important to understand that most users won't recognize or understand this verification method, limiting its effectiveness as a trust signal.

1. Apply for Verification

Bluesky has recently introduced verification badges similar to other social platforms. When an account is verified, it gets a blue checkmark badge next to the username. 

There are two ways to get verified:

• Direct from Bluesky: Bluesky's team actively looks for authentic, notable accounts and verifies them directly. These accounts get a standard blue badge. If you want verification for your organization, you need to fill out an application form that Bluesky provides.
• Through Trusted Verifiers: Certain organizations can become "Trusted Verifiers" and verify their own members. For instance, the New York Times can verify its own journalists' accounts. These organizations get a special badge to show they're trusted verifiers.

1. Ensure Password Security

When creating a unique password for Bluesky, make it long and complex, using a mix of letters, numbers, and symbols, or better yet, follow NIST’s advice and create a multi-word passphrase. 

1. Turn On Two-Factor Authentication (2FA)

While Bluesky only provides 2FA via email, it’s still worthwhile to turn on this extra security layer that calls for a second step to log in beyond just your password. 

1. Monitor App Passwords

These special passwords let third-party apps connect to your Bluesky account. Check these regularly in your settings and delete any you don't recognize or aren't using anymore; they could be from old, insecure apps or potentially unauthorized access.

1. Use Moderation Lists

Bluesky prefers to let users configure their own moderation. This can be done using moderation lists that let users mass block groups of people they would rather not interact with. 

1. Watch Out for Common Phishing Scams on Bluesky

Be suspicious of any message that sounds urgent or threatening, like "Act now or lose your account!" Phishing scammers try to make you panic and react without thinking. Never share your login information with anyone, even if they claim to be helping you. You may encounter:

• Fake verification offers: Scammers who message you privately offering to verify your account. Anyone claiming to be staff who messages you about this is fraudulent.
• Fake moderation warnings: If someone messages you saying your account violated rules or needs immediate action, it's a ploy. Official Bluesky staff won't ask for your password or payment information through private messages.
• Imposter accounts: Genuine official Bluesky accounts have blue verification checkmarks. If someone claims to be Bluesky staff but doesn't have that checkmark, they're fake.

1. How to Spot Fake Bluesky Accounts

Identifying fraudulent accounts on Bluesky requires caution and attention to detail. Impersonators systematically copy profiles, bios, photos, and posting styles to create convincing replicas. Users should watch for slight variations in display names, especially accounts using modified characters or unusual spacing on the standard .bsky.social domain.

Warning signs include new accounts immediately launching giveaways, profiles requesting users move to off-platform communication, accounts promoting investments, and financial opportunities that seem too good to be true. Direct messages containing requests for gift cards, cryptocurrency transfers, or login credentials should be treated as immediate red flags.

ZeroFox Makes Bluesky and Social Media Safer for Business

As bad actors increasingly turn external platforms like Bluesky into a contaminated commons where reality is distorted, ZeroFox leads the way in innovation by bringing the first Bluesky solution to market. 

ZeroFox's wider social media protection platform functions as an extension of your organization's security department, providing round-the-clock monitoring and response capabilities for mainstream networks like Facebook, Instagram, and Twitter, along with more niche spaces like 4Chan, Mastodon, Truth Social, and now Bluesky. 

To deliver persistent visibility and rapid threat detection across the expanding social media ecosystem, the platform uses API integration to collect over 20 million profiles and posts daily, processes them through sophisticated filtering systems, and identifies genuine threats among the noise. ZeroFox automates the entire workflow, transforming an impossible manual task into an effective process that generates more than 140,000 social content alerts each day.

The company's expansion to include Bluesky adds another vector to proactively help businesses protect their digital identity from threats like fraud, impersonation, and misinformation. 

For Bluesky, ZeroFox defines AI-powered search terms related to customer digital assets, then scans posts, profiles, comments, and replies on an extremely tight cadence to identify potential threats. 

Key protection areas include:

• Comprehensive impersonation defense that detects fake accounts, cloned profiles, and AI-driven deepfakes before they mislead customers
• AI-powered systems perform image, logo, and content matching, combined with optical character recognition
• Advanced deepfake detection analyzes synthetic media for anomalies like unnatural facial movements, and behavioral and linguistic analysis identifies intent to do harm
• Checks against comprehensive blacklists of domains and known bad actors, automatically flag posts that reference these malicious entities
• Physical threat mitigation capabilities identify early signs of safety risks to executives, locations, or events, providing actionable intelligence for crisis response including geospatial threat correlation

The platform also addresses broader reputational risks, from fake job posts to counterfeit product listings, ensuring comprehensive brand protection across the social media landscape.

But, like its wider social media protection across platforms, ZeroFox's remediation and disruption capabilities go beyond simple Bluesky monitoring. 

When malicious content is detected, the system generates immediate alerts that can trigger automated remediation for certain threat types, limiting reach to prevent viral spread and ensuring takedowns before damage occurs, preserving brand reputation and protecting customers from sophisticated scams. 

The company leverages relationships with platform partners to coordinate removal of fraudulent content, automating takedowns through workflows with 80+ partners, including ISPs, registrars, hosting providers, and browsers. This infrastructure has achieved over 915,000 successful social takedowns annually, with a 97% success rate and average takedown submission times under two hours.

More nuanced situations are escalated for human review by expert analysts. This dual approach of combining AI-powered detection with human expertise addresses the unique challenges of Bluesky security. 

The platform's integration capabilities ensure seamless incorporation into existing security infrastructures. Supporting all major IT security solutions, ZeroFox extends organizational cybersecurity postures to cover emerging platforms like Bluesky without requiring extensive reconfiguration or training. With protection spanning over 25 major and alternative platforms, forums, and messaging apps, organizations gain comprehensive coverage through a single solution.

Should You Join Bluesky? Final Verdict

With millions of Bluesky users and a still-developing Bluesky security infrastructure, threat actors will continue to refine their tactics, leaving your brand, executives, and customers facing risks whether you maintain an active presence or not. 

The right question to ask isn't whether your organization should join Bluesky, but whether you can afford not to protect yourself on the platform. 

With its proactive cycle of discovering, validating, and disrupting threats, ZeroFox puts you back in control and brings peace of mind by neutralizing threats swiftly rather than just identifying them. 

Find out more about how ZeroFox can make Bluesky safer for your organization.