Do you have online accounts you haven't used in years? If so, a bit of digital spring cleaning might be in order.
As our lives become increasingly tied to the digital world, the number of accounts we sign up for keeps growing. Think back—can you remember every service you’ve ever registered for? Maybe a free trial you forgot to cancel, or an app you downloaded while traveling but never touched again. It's not unusual. In fact, research suggests the average person has as many as 168 passwords for personal accounts.
But here's the problem: inactive accounts are a serious security risk, whether in your personal life or at work. Cybercriminals often target these forgotten doors into your digital world, and that makes regular digital housekeeping more important than ever.
Why are dormant accounts risky?
There are many reasons why you might have a large number of forgotten, inactive accounts. The chances are, you’re bombarded by special offers and new digital services on a daily basis. Sometimes the only way to check them out is by signing up and creating a new account. But we’re only human – we forget, our interests change over time, and sometimes we can’t remember the logins and move on. It’s often harder to delete an account than just leave it to become dormant.
However, that may be a mistake. Accounts that have been inactive for a long time are more likely to be compromised, according to Google. That’s because there’s a greater chance that they use old or reused credentials that may have been caught up in a historic data breach. The tech giant also claims that “abandoned accounts are at least 10x less likely than active accounts to have 2-step-verification set up.”
These accounts could be a magnet for hackers, who are increasingly focused on account takeover (ATO). They do so via a variety of techniques, including:
- Infostealer malware to steal logins.
- Large-scale data breaches that expose old credentials.
- Credential stuffing to try stolen passwords on other services.
- Brute-force techniques, where they use trial and error to guess your passwords
The consequences of inactive accounts
If an attacker gains access to your account, they could:
- Send spam or scams to your contacts, especially through email or social media, using your name to build trust.
- Extract personal information, such as saved credit card details or identity info, and use it for fraud or phishing.
- Sell the account on the dark web, particularly if it's tied to rewards programs or loyalty points.
- Drain stored funds, including forgotten crypto wallets or old bank accounts (In the UK, it’s estimated that around £82 billion is sitting in unclaimed accounts!).
Dormant business accounts are also an attractive target, given that they could give threat actors an easy pathway to sensitive corporate data and systems. They could steal and sell this data or hold it to ransom. In fact:
- The Colonial Pipeline ransomware breach of 2021 started from an inactive VPN account that was hijacked. The incident resulted in major fuel shortages up and down the US East Coast.
- A 2020 ransomware attack on the London Borough of Hackney stemmed in part from an insecure password on a dormant account connected to the council’s servers.
Time for a spring clean?
So what can you do to mitigate the risks outlined above? Some service providers now automatically close inactive accounts after a certain length of time, in order to free up computing resources, reduce costs and enhance security for customers. They include Google, Microsoft, and X.
However, when it comes to your digital security, it’s always best to be proactive. Consider the following:
- Audit & Delete: Periodically search your email for old sign-up confirmations ("Welcome," "Free trial") and delete any unused accounts.
- Manage Passwords: Review your password manager or browser's saved passwords, deleting or updating those linked to inactive/compromised accounts.
- Verify Deletion: Check the provider's policy to ensure all personal data is removed upon account closure.
- Think Before You Sign Up: Consider if creating a new account is truly necessary.
For those accounts you want to keep, aside from updating the password to a strong, unique credential, and storing it in a password manager, consider the following:
- Always use a strong, unique password and store it in a password manager.
- Enable two-factor authentication (2FA) – Adds an extra layer of security if your password is ever leaked.
- Avoid public Wi-Fi for sensitive logins – Unless you use a VPN, public networks can expose your activity to cybercriminals
- Watch for phishing – Never click links in suspicious emails or texts, and be wary of messages that pressure you to act quickly.
Most of us have dozens of inactive accounts online. By spending just a few minutes a year on this digital clean-up, you can significantly boost your cybersecurity and make your online life much safer.