Bluesky has a verification problem
The company says it’s working to verify more accounts, but its approach is flawed.
Bluesky is bigger than ever. But as the upstart social media service surges, the platform is facing some growing pains. Among them: The influx of new users has opened up new opportunities for scammers and impersonators hoping to capitalize on the attention — and Bluesky’s lack of a conventional verification system.
A recent analysis by Alexios Mantzarlis, director of the Security Trust and Safety Initiative at Cornell Tech found that 44 percent of the top 100 most-followed accounts on Bluesky had at least one “doppelganger,” with most looking like “cheap knock-offs of the bigger account, down to the same bio and profile picture,” Mantzarlis wrote in his newsletter Faked Up.
Unlike many of its counterparts, which offer checkmarks and official badges to government officials, celebrities and other high profile accounts, Bluesky has a more hands-off approach to verification. Instead of proactively verifying notable accounts itself, the company encourages users to use a custom domain name as their handle in order to “self-verify.”
For example, my employer Engadget currently has the Bluesky handle engadget.bsky.social. But if we wanted to “verify” our account, we could opt to change it to Engadget.com. Some media organizations, like The New York Times, Bloomberg and The Onion have done this for their official accounts. Individuals are also able to verify by using a personal website.
But, the process is more complicated than simply changing your handle. It also requires entities to add a string of text to the DNS record associated with their domain. While in some ways it’s a clever solution to verification — only the actual owner of a website would be able to access the DNS record for a domain — it also has a number of drawbacks. It’s a manual process that’s not readily accessible to everyone who might wish to be verified. (Bluesky does sell custom domains for users who don’t already have one.)
Verification is even more complex for those wishing to verify multiple accounts associated with the same domain, which may explain why some outlets, like The New York Times and NPR have custom handles, but don’t extend that verification to their reporters on Bluesky. Even Bluesky’s own tutorial suggests organizations seek assistance from their IT departments.
There are other issues. Once you change your handle to match a domain you own, your old alias (engadget.bksy.social, for instance) becomes available again. So you’ll either need to set up a new account to “squat” on your old handle, or risk an impersonator scooping it up. And even if you add a custom domain, it doesn’t offer foolproof protection against impersonation. A dedicated scammer could use a lookalike domain and “verify” an imposter account.
To make things more confusing, Bluesky itself gives no indication, other than the handle name, that an account has been “verified.” Verified accounts don’t have a visual indicator — like a check or a badge — that differentiates them from unverified ones,
To combat this, some Bluesky users are coming up with their own makeshift workarounds. Hunter Walker, an investigative reporter for Talking Points Memo and early Bluesky user, has been proactively verifying journalists, celebrities and other high-profile accounts himself. So far, he’s verified more than 330 people, including New York Representative Alexandria Ocasio-Cortez, Flavor Flav, Mark Cuban and Barbra Streisand.
“I have a pretty high standard for journalism and reporting, and everything I say, I like to triple check the sources,” Walker tells Engadget. “I like to make sure it's confirmed. And it became apparent to me, participating in Bluesky, that on a basic level, nothing was confirmed.”
Walker estimates he’s spent about 16 hours over the last couple weeks verifying accounts. He has different methods depending on the user, but it often involves communicating with someone from another account officially linked to them, like a company email address. For celebrities, their representatives are often able to confirm their official Bluesky handles.
“I’ve caught so many scammers and imposters, and it's not always who you would expect,” Walker says. “Regular journalists sometimes have three or four imposters.” He says he’s been inundated with requests for his unofficial verification, and notes that a number of people he’s verified also use a custom domain. “They want something else … because a domain is not verification of identity.”
Walker maintains “starter packs” of journalists and other prominent accounts he’s verified. Recently, he took it a step further, working with another user to create a custom labeling service that will append different emojis to accounts he’s verified to make his “verification” more prominent. Users who subscribe to the service will see a 😎 next to celebrities and public figures, and a 🌐 next to journalists.
While these kinds of efforts can act as a stopgap, Walker won’t be able to verify every notable account on Bluesky himself. He’s suggested that other communities, like university researchers, could undertake a similar ad hoc verification effort. But, without help from Bluesky or a third-party identity service, he expects impersonation to remain an issue.
And widespread impersonation can often lead to bigger problems for a platform like Bluesky. “Sloppy verification is an early signal of broader deception and catnip for organized disinformation actors,” Cornell Tech’s Mantzarlis wrote, noting that Vice President Kamala Harris “at one point had 20 impersonator accounts” on Bluesky even though she’s never had an official presence on the platform.
On its part, Bluesky has acknowledged that impersonation is an issue. In an update this week, the company said it had seen “a predictable uptick in harmful content” that coincided with its recent growth. In a statement to Engadget, Bluesky spokesperson Emily Liu said the company had “quadrupled” its moderation team, which would help ensure reports of impersonation are handled more quickly. Liu also said that Bluesky was working on “easier visual signals we could use for verification so it's a better user experience,” though it’s not yet clear what form that might take.
But Bluesky, which currently has just 20 full-time employees, seems reluctant to consider other approaches to verification outside of custom domains. “We've been working behind the scenes with official organizations and high-profile individuals like celebrities and elected officials to get their accounts verified on Bluesky with their website,” Liu said. “With domains as verification, we want to put the tools of verification in each org's hands, instead of making Bluesky the company the sole arbiter of who deserves to be verified on the network.”
Bluesky’s hesitation to play the role of verifier is in many ways understandable. Verification has a long and messy history on other platforms. On Twitter, a symbol that was originally created to fight impersonators quickly morphed into a sometimes divisive status symbol. On Instagram, verification has often been exploited by scammers. Now, both companies allow users to buy blue checkmarks, though both platforms also proactively verify certain types of accounts, like those belonging to government officials.
Bluesky CEO Jay Graber, however, has signaled that she’s potentially open to alternate approaches to verification. In a livestream on Twitch this week, she said the company “might at some point” become a “verification provider.” TechCrunch, which reported the remarks, said that her comments suggested a future system in which there are multiple “providers” of verification. Graber added that she’s “not sure when” such a scenario would play out.
Walker, who repeated several times his firm belief that “Bluesky has the juice,” hopes that his verification project might be able to nudge Bluesky to take a different approach. “I'm really hoping that people pay attention to the question of trust and the question of identity. The cool thing about the open source nature of it all, is we have a chance to build things on this and make it how we want it.”