Do you have online accounts you haven’t used in years? If so, a bit of digital spring cleaning might be in order.

02 Jun 2025
 • 
,
5 min. read

The longer our digital lives, the more online accounts we’re likely to accrue. Can you even remember all the services you’ve signed up to over the years? It could be that free trial you started and never cancelled. Or that app you used on holiday once and never returned to. Account sprawl is real. According to one estimate, the average person has 168 passwords for personal accounts.

Yet inactive accounts are also a security risk, both from a personal and a work perspective. They represent a potentially attractive target for opportunistic criminals, so it’s worth considering a bit of spring cleaning once in a while to keep them under control.

Why are dormant accounts risky?

There are many reasons why you might have a large number of forgotten, inactive accounts. The chances are, you’re bombarded by special offers and new digital services on a daily basis. Sometimes the only way to check them out is by signing up and creating a new account. But we’re only human – we forget, our interests change over time, and sometimes we can’t remember the logins and move on. It’s often harder to delete an account than just leave it to become dormant.

However, that may be a mistake. Accounts that have been inactive for a long time are more likely to be compromised, according to Google. That’s because there’s a greater chance that they use old or reused credentials that may have been caught up in a historic data breach. The tech giant also claims that “abandoned accounts are at least 10x less likely than active accounts to have 2-step-verification set up.”

These accounts could be a magnet for hackers, who are increasingly focused on account takeover (ATO). They do so via a variety of techniques, including:

• Infostealer malware designed to harvest your logins. One report claims that 3.2 billion credentials were stolen last year; most (75%) via infostealers
• Large-scale data breaches, where hackers harvest entire databases of passwords and usernames from third-party companies you might have signed up to
• Credential stuffing, where hackers feed breached credentials into automated software, in an attempt to unlock accounts where you’ve reused that same compromised password
• Brute-force techniques, where they use trial and error to guess your passwords

The consequences of inactive accounts

If an attacker gains access to your account, they could:

• Use it to send spam and scams to your contacts (e.g., if it’s an inactive email or social media account), or even launch convincing phishing attacks in your name. These might try to elicit sensitive info from your contacts, or trick them into installing malware.
• Search through your dormant account for personal information or saved card details. These could be used to commit identity fraud, or to send further phishing emails impersonating the account service provider in order to elicit more details from you. Saved cards may have expired, but ones that haven’t could be used to make fraudulent transactions in your name.
• Sell the account on the dark web, if it has any value, such as a loyalty or Air Miles account you may have forgotten about.
• Drain the account of funds (e.g., if it’s a crypto wallet or forgotten bank account). In the UK, it’s estimated that there could be £82bn ($109bn) in lost bank, building society, pension, and other accounts.

Dormant business accounts are also an attractive target, given that they could give threat actors an easy pathway to sensitive corporate data and systems. They could steal and sell this data or hold it to ransom. In fact:

• The Colonial Pipeline ransomware breach of 2021 started from an inactive VPN account that was hijacked. The incident resulted in major fuel shortages up and down the US East Coast.
• A 2020 ransomware attack on the London Borough of Hackney stemmed in part from an insecure password on a dormant account connected to the council’s servers.

Time for a spring clean?

So what can you do to mitigate the risks outlined above? Some service providers now automatically close inactive accounts after a certain length of time, in order to free up computing resources, reduce costs and enhance security for customers. They include Google, Microsoft, and X.  

However, when it comes to your digital security, it’s always best to be proactive. Consider the following:

• Periodically audit and delete any inactive accounts. A good way to find these is to search your email inbox for keywords like “Welcome,” “Verify account,” “Free trial,” Thank you for signing up,” “Validate your account,” etc.
• Go through your password manager or saved password list in your browser and delete any linked to inactive accounts – or update the password if it has been flagged as insecure/caught in a data breach.
• It may be worth checking the account provider’s deletion policies to ensure that all personal and financial information will definitely be removed if you close the account
• Think twice before new sign-ups. Is it really worth creating a new account?

For those accounts you want to keep, aside from updating the password to a strong, unique credential, and storing it in a password manager, consider the following:

• Switching on two-factor authentication (2FA), so that even if a hacker gets hold of your password, they won’t be able to compromise your account.
• Never log-in to sensitive accounts on public Wi-Fi (without using a VPN, anyway) as cybercriminals may be able to eavesdrop on your activity and steal your logins.
• Be aware of phishing messages that try to trick you into handing over your log-ins or downloading malware (like infostealers). Never click on links in unsolicited messages, and don’t fall for attempts to rush you into taking action by, for example, claiming you owe money or that your account will be deleted if you don’t.

The chances are that most of us have dozens if not scores of inactive accounts sprawled across the internet. By taking a few minutes out of your day once a year to clean things up, you could make your digital life that little bit more secure.