Simulation of Social Media Account Compromise Across User-Chosen Authentication Schemes

Abstract

The security of social media platforms is fundamentally shaped by the authentication choices of their users. While individual authentication methods have known vulnerabilities, there is limited understanding of how the aggregate of these choices creates systemic risks at the platform level. This paper presents a simulation that models common attacks; credential stuffing, phishing, and SIM-swapping against a simulated population of users employing different authentication methods (password-only, SMS OTP, TOTP app, and passkeys). The account compromise rates, attacker costs, and most critically, the downstream platform impacts are quantified. The study highlights that authentication compromises lead to the spread of disinformation and exfiltration of private data. The results reveal that even modest shifts in user adoption toward stronger methods dramatically reduce the platform's overall attack surface. For instance, migrating password-only users to any form of two-factor authentication (2FA) reduces total platform vulnerability to credential stuffing by over 80%. However, the persistence of SMS OTP creates a high-risk cohort vulnerable to targeted SIM-swapping, facilitating high-impact compromises. The simulation provides a data-driven recommendations for social media platform designers to evaluate security policies, forecast the effects of nudging strategies, and prioritise defences against the most likely and damaging attack vectors shaped by their users' authentication preferences.