X-Industry

Dormant Accounts are a Welcome Mat

Posted by Mac McKee on June 6, 2025 at 11:15am

13579778669?profile=RESIZE_400xThe longer our digital lives, the more online accounts we are likely to accrue. Can you even remember all the services you’ve signed up for over the years? It could be that free trial you started and never cancelled. Or that app you used on holiday once and never returned to. Account sprawl is real. According to one estimate, the average person has 168 passwords for personal accounts.

Inactive accounts are also a security risk, both from a personal and a work perspective. They represent a potentially attractive target for opportunistic criminals, so it’s worth considering a bit of spring cleaning occasionally to keep them under control.  There are many reasons why you might have many forgotten, inactive accounts. The chances are you are flooded with special offers and new digital services daily. Sometimes the only way to check them out is by signing up and creating a new account.  Our interests change over time, and sometimes we cannot remember the logins and move on. It is often harder to delete an account than just leave it to become dormant.

Accounts that have been inactive for a long time are more likely to be compromised, according to Google. That’s because there’s a greater chance that they use old or reused credentials that may have been caught up in a historic data breach. The tech giant also claims that “abandoned accounts are at least 10x less likely than active accounts to have 2-step-verification set up.”

These accounts could be a magnet for hackers, who are increasingly focused on Account Take Over (ATO). They do so via a variety of techniques, including:

  • Infostealer malware designed to harvest your logins. One report claims that 3.2 billion credentials were stolen last year; most (75%) via infostealers.
  • Large-scale data breaches, where hackers harvest entire databases of passwords and usernames from third-party companies you might have signed up.
  • Credential stuffing, where hackers feed breached credentials into automated software, to unlock accounts where you’ve reused that same compromised password.
  • Brute-force techniques, where they use trial and error to guess your passwords

If an attacker gains access to your account, they could:

  • Use it to send spam and scams to your contacts (e.g., if it is an inactive email or social media account) or even launch convincing phishing attacks in your name. These might try to elicit sensitive info from your contacts or trick them into installing malware.
  • Search through your dormant account for personal information or save card details. These could be used to commit identity fraud, or to send further phishing emails impersonating the account service provider to elicit more details from you. Saved cards may have expired, but ones that haven’t could be used to make fraudulent transactions in your name.
  • Sell the account on the dark web, if it has any value, such as a loyalty or Air Miles account you may have forgotten about.
  • Drain the account of funds (e.g., if it’s a crypto wallet or a forgotten bank account). In the UK, it’s estimated that there could be £82bn ($109bn) in lost bank, building society, pension, and other accounts.

Dormant business accounts are also an attractive target, given that they could give threat actors an easy pathway to sensitive corporate data and systems. They could steal and sell this data or hold it to ransom:

  • The Colonial Pipeline ransomware breach of 2021 started from an inactive VPN account that was hijacked. The incident resulted in major fuel shortages up and down the US East Coast.
  • A 2020 ransomware attack on the London Borough of Hackney stemmed in part from an insecure password on a dormant account connected to the council’s servers.

What can you do to mitigate the risks outlined above? Some service providers now automatically close inactive accounts after a certain length of time, to free up computing resources, reduce costs and enhance security for customers. They include GoogleMicrosoft, and X.  

When it comes to your digital security, it is best to be proactive. Consider the following:

  • Periodically audit and delete any inactive accounts. A good way to find these is to search your email inbox for keywords like "Welcome,” "Verify account,” “Free trial,” Thank you for signing up,” “Validate your account,” etc.
  • Go through your password manager or saved password list in your browser and delete any linked to inactive accounts – or update the password if it has been flagged as insecure/caught in a data breach.
  • It may be worth checking the account provider’s deletion policies to ensure that all personal and financial information will be removed if you close the account
  • Think twice before new sign-ups. Is it worth creating a new account?

For those accounts you want to keep, aside from updating the password to a strong, unique credential, and storing it in a password manager, consider the following:

  • Switching on two-factor authentication (2FA), so that even if a hacker gets hold of your password, they won’t be able to compromise your account.
  • Never log-in to sensitive accounts on public Wi-Fi (without using a VPN, anyway) as cybercriminals may be able to eavesdrop on your activity and steal your logins.
  • Be aware of phishing messages that try to trick you into handing over your log-ins or downloading malware (like infostealers). Never click on links in unsolicited messages, and do not fall for attempts to rush you into acting, for example, claiming you owe money or that your account will be deleted if you do not.

The chances are that most users have inactive accounts across the internet. By taking a few minutes out of your day once a year to clean things up, you could make your digital life that little bit more secure.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.     For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

 

Weekly Cyber Intelligence Briefings:

 

 

Weekly Cyber Intelligence Briefings:

 

REDSHORTS - Weekly Cyber Intelligence Briefings

https://attendee.gotowebinar.com/register/5504229295967742989

 

 

 

 

Views: 8
E-mail me when people leave their comments –
Follow

You need to be a member of Red Sky Alliance to add comments!