How to Securely Request & Store Your Clients' Social Media Passwords

26 January, 2021
7 min read
Gavin Hammar

Since the Cambridge Analytica scandal and GDPR coming into force in 2018, we suddenly find ourselves in a much more privacy-conscious world.

Storing and sharing sensitive information (including social media credentials) is not something that should be overlooked. Especially so, if you run a social media agency or manage social media on behalf of others.

Now is an excellent time to instil confidence in your clients so that they feel comfortable working with your company for the long term. And it all starts with a great and safe onboarding experience.

In this article, I’m going to show you:


Why you should care about onboarding your clients safely

Since GDPR rules were enforced, companies and agencies are taking a much closer look at the way they store and transfer data. By now, you have probably forgotten the sheer amount of emails you received from other brands asking you to confirm your email subscription.

But you may still get questions from your largest clients asking you whether your agency is taking additional security measures and is GDPR compliant.

Where most agencies view these kinds of questions as a burden and chore to answer, this can be an incredible opportunity. Think about it - your clients are giving you a chance to reassure them in a way that can help cement your partnership with them well into the future.

Also, don’t expect these request to decrease as this is just the beginning of what’s to come! We expect to see similar data protection regulation coming into effect from the US in the next few years, so now is a good time to ensure your agency is ready.

After all, if you’re not compliant and your clients’ personal data is leaked, you stand to be fined up to £20 million or 4% of annual turnover. If that’s not enough of a wake-up call for all of us, I’m not sure what else is!

But where can you possibly start? Your clients’ personal data is being transferred all over the place: from emails to spreadsheets, CSV files to CRMs and CMSs to Social Media Management Tools. I apologise for all the acronyms here, but it just serves to highlight the fact that with so many different tools and integration points us marketers have to deal with, how can we possibly be expected to secure all these flows and take steps to ensure there are no data leaks?

At Sendible, we believe that when analysing your data flows, the best place to start is with that initial onboarding journey when your client first agrees to let you manage their social media profiles on their behalf. 

Why the way you currently onboard clients could be fraught with risks

Sharing passwords over email is not secure

Let’s face it, in order to do their jobs, all social media agencies, no matter the size, need a way to receive and store their clients’ login details for  Instagram, LinkedIn, Twitter, Pinterest, Facebook, and other platforms.

It’s worth mentioning, however, that Facebook’s Terms of Service contains the following line just as most other social media networks:

You must not share your password, give access to your Facebook account to others or transfer your account to anyone else (without our permission).

It is clear that while the key social media platforms recognise other people might be managing pages or profiles on someone else's behalf, password sharing and account ownership is not allowed.

Yet, here are the typical ways agencies handle the transfer of passwords from their clients:

  • The client sends their username and password for each social media account over an email, messaging app, or task management tool.
  • The client submits a Google Form (or similar) listing all their social media passwords which are stored in an openly available Google Doc.
  • The client uses the same master password for all their social media accounts, so the agency is able to sign into every account using the same credentials.

With each of the above approaches, there is the risk that one day, all of the passwords for all clients’ accounts could end up in one central place for a hacker to come in and take control of.

Or worse, it would open an avenue for a disgruntled ex-employee to steal these credentials and wreak havoc.

Just imagine the damage this scenario could cause your agency:

  1. You let go of an employee, and they steal the spreadsheet containing the social media login details for the brands your agency manages.
  2. They post malicious content to your client’s social media profiles or delete all of your work.
  3. Your client loses trust, and request to cancel their contract with your agency due to a data breach.
  4. You lose your client and risk being fined or sued.
  5. Your other clients hear about the breach, and request to terminate their contracts with you.

The best case in this scenario is that you realise they’ve stolen the spreadsheet and can notify all of your clients, asking them to change their passwords before any harm is done. However, even if the passwords are reset in time, your relationship with those clients can get tarnished anyway.

Matthew Mizbani from Two Sigma Ventures sums it up nicely:

In my own experience, a company’s marketing firm is given the social media credentials for the company’s social media accounts. Because the marketing firm is contracted by the company and relies on its reputation to be contracted by more companies, if the marketing firm were to tamper with the account, they would not only lose the business of the company, but likely have a hard time finding future business.

There is also the risk that even after a client terminates their contract with your agency, they don’t bother to change their passwords or remove your agency’s admin access leaving their social media accounts open to further vulnerabilities.

And while there is some useful functionality is baked into the platforms to simplify account management, e.g., by setting up correct page roles, no native solution will help you manage all your client accounts in one place.

How can you securely onboard new clients and gain their trust

Most digital agency founders, when they first get started, are hustling to bring on those first few clients and really can’t be blamed for being scrappy. But, even as they grow, they remain focused on delivering results for their clients and very rarely do they revisit the risks related to the way they request and store social media passwords for their clients.

With laws like GDPR and a new privacy consciousness that’s being instilled in both companies and individuals, this is no longer a risk that your agency can afford to take.

If there’s one thing you can do now, I would suggest revisiting the way you request, transfer and store your clients’ social media login details.

With an increased focus on privacy along with social networks changing their Terms of Service, you should also start to expect that clients will become more reluctant to share their passwords with your agency.

At Sendible, we have developed a solution to this problem called Client Connect. Client Connect makes it easy for your clients to securely grant your agency publishing access to their social media profiles directly from your website, without any passwords needing to be transferred or stored.

Client Connect: The risk-free way to request social media login details from clients

Instead of needing to directly request login details for your clients’ social media accounts, Client Connect is a widget that can be installed on your website. It allows your clients to connect their social media profiles themselves and authorise you to manage their accounts through our social media management tool.

When your clients add their accounts, they are immediately available for your agency to manage within your Sendible account. There is no need to transfer passwords via email or store your clients’ login details in spreadsheets.

Also, since Sendible uses OAuth 2.0, which allows your clients to authenticate directly with the social platforms, there is no transfer of passwords and other sensitive information. There is also no way for disgruntled ex-employees to run off with your clients’ passwords!

client connect password widget in sendible

How can my agency benefit from Client Connect?

Our password widget is a great way to demonstrate your agency's commitment to your clients’ privacy. Since you no longer have to request that clients email you the passwords to their social media accounts, you are now granting complete control to your clients to be able to connect these accounts themselves.

The fact that you do not ask them for their login details will set your agency apart from the rest and is a fantastic USP when pitching to new clients.

Besides acting as an additional benefit in new client pitches, Client Connect can also act as a reassurance for existing clients by showing them that your agency takes their privacy extremely seriously.

Since Client Connect gives your agency the ability to manage your clients’ accounts without the need to transfer passwords, you are also fully adhering to the terms and conditions of each of the social networks, not to mention GDPR requirements.

How can I install Client Connect on my website?

We have a step-by-step guide to installing the Client Connect widget on our support portal, but here's a quick overview of the steps:

  1. If you’re already a Sendible customer, sign into your account and you’ll be able to access the Client Connect setup wizard from the Add profiles page. If you’re not yet a user, start your free trial here.client-connect-add-profiles
  2. On the right side of the page, you’ll find the Install Client Connect box. Click to start the setup process.client-connect-widget-installation
  3. In the first step, enter your website domain name, for example, This is the website on which Client Connect will be installed.client-connect-widget-domain
  4. Click Select Profiles to continue. You can then choose the profiles that you want to make available for your clients for connection.
  5. When you’re happy with your selection, click Generate Code.client-connect-widget-embed-code
  6. Then, select the code that’s been generated and copy it to your clipboard. This code can be added to any page on your website. When rendered, the profiles you selected will appear for your clients, and they'll be able to connect them to your Sendible account.
  7. Click Done to close the window.

When Client Connect is displayed on your website, it will display a branded badge saying 'Powered by Sendible' just below the profiles that are available for connection. If you'd like, you can remove the 'Powered by Sendible' branding by upgrading to a higher subscription plan.

The Client Connect widget will automatically adapt to the look and feel of your website, but if you’d like to customise it further, you can add your own styling to the connect buttons through a coding language called CSS.

Why implementing privacy by design now will encourage future growth for your agency

With the wave of changes from Twitter and Facebook along with GDPR, we can only expect more updates in the coming years. With all this change, there is a massive opportunity for your agency to get a competitive edge over the thousands of other agencies competing for your clients’ attention by implementing privacy by design.

The agencies who lead with a privacy-first approach in their client pitches and in their operational processes are the ones who are going to ride this wave and come out on top!

At Sendible, our entire organisation worked to ensure that our own practices are GDPR-compliant and that we put out customers’ privacy first.

But equally important to us is helping you, our partners and customers, understand what these changes mean for your businesses so that you can build privacy-first processes of your own.

Although we are not legal professionals, if we can help your marketing agency in any way, please get in touch using this form and we’ll do our best to advise you.


Simplify how you manage social media for your clients

Get everything you need for your scheduling, engagement, and reporting needs with Sendible.

Explore our solutions for agencies