Why Are Inactive Accounts Dangerous?
With the constant barrage of special offers and new digital services, it’s easy to accumulate numerous forgotten accounts. Sometimes, the only way to check them out is by creating a new account. However, humans forget, interests change, and we often neglect remembering login details, leaving accounts dormant.
This might seem harmless, but it’s not. According to Google, inactive accounts for extended periods are more likely to be compromised if their credentials were leaked in historical data breaches. Google also states that “abandoned accounts have at least 10 times fewer chances of having two-factor authentication enabled compared to active accounts.”
These inactive accounts can attract cybercriminals, who are increasingly focused on account takeover (ATO). They employ various techniques such as:
- Malware Infostealers: designed to steal access credentials. Last year, 3.2 billion credentials were stolen, with 75% through infostealers.
- Large-scale data breaches: where hackers collect entire databases of passwords and usernames from third-party companies you might have subscribed to.
- Credential Stuffing: where hackers input leaked credentials into automated software to try and unlock accounts using the same password across multiple platforms.
- Brute Force Techniques: where they use trial-and-error methods to guess your passwords.
Consequences of Inactive Accounts
Personal Accounts
If an attacker gains access to your account, they could:
- Use it to send spam and scams to your contacts (e.g., if it’s an inactive email or social media account), or even launch convincing phishing attacks in your name. These attacks aim to obtain confidential information from your contacts or trick them into installing malware.
- Search for personal information or saved cards that they can use to commit identity fraud or send more phishing emails impersonating the service provider to gather more information. Although expired cards may not be useful, non-expired ones could be used for purchases in your name.
- Sell the account on the dark web, especially if it has additional value, like a loyalty or airline mile account.
- Empty the account of funds (e.g., if it’s a cryptocurrency wallet or bank account). In the UK, it is estimated that there could be £82 billion (approximately $109 billion) in lost bank accounts, building societies, pension accounts, and other accounts.
Corporate Accounts
Inactive business accounts are also attractive targets as they can provide access to confidential corporate data and systems. Cybercriminals could steal and sell this data or demand ransom for it. For instance:
- The 2021 Colonial Pipeline ransomware breach started from a hijacked inactive VPN account. The incident caused significant fuel shortages across the US East Coast.
- A 2020 ransomware attack on the London Borough of Hackney partly originated from an insecure password on an inactive account linked to the council’s servers.
Time for Cleanup?
What can be done to mitigate these risks? Some service providers automatically close inactive accounts after a certain period to free up computing resources, cut costs, and enhance customer security. Examples include Google, Microsoft, and others.
However, when it comes to your digital security, proactivity is key. Consider the following:
- Conduct periodic audits and delete inactive accounts. A good way to find them is by searching your email inbox for keywords like “Welcome,” “Verify Account,” “Free Trial,” “Thank you for registering,” “Validate your account,” etc.
- Look in your password manager or browser’s saved passwords list and delete those linked to inactive accounts, or update the password if it’s deemed insecure or affected by a data breach.
- Check the account provider’s deletion policy to ensure all personal and financial information is permanently removed when closing the account.
- Think twice before creating an account. Is it really worth it?
For accounts you plan to keep, apart from updating the password to a strong and unique credential and storing it in a password manager, consider:
- Enable two-factor authentication (2FA), so even if someone gets your password, they can’t jeopardize your account.
- Avoid logging into sensitive accounts on public Wi-Fi without a VPN, as cybercriminals could monitor your activity and steal your login details.
- Be cautious of phishing attempts trying to trick you into revealing your access details or downloading malicious software (like infostealers). Never click on links in unsolicited messages or those pressuring you to act quickly, e.g., claiming you owe money or that your account will be deleted if you don’t act.
Most of us likely have dozens, if not scores, of inactive accounts scattered across the internet. Spending a few minutes annually cleaning them up can make your digital life a bit more secure.
