Your forgotten email accounts are more dangerous than you think
A forgotten email account isn’t a harmless relic from past online times, but a potential gateway to your digital identity. As long as it exists, it remains accessible—not just to you, but also to hackers.
Almost every online service uses email addresses as an anchor point. Anyone who has access to your mailbox can, for example, use the “forgot password” function to take over other linked accounts via a chain reaction. Hackers love inactive email accounts because hardly anyone looks at them, and warning messages about unauthorized logins go unnoticed and unread into digital oblivion.
Table of Contents
Why old email accounts are dangerous
An old email account becomes a risk for two reasons: carelessness and the passage of time. You can find out whether your data is already at risk with just a few clicks. There are specialized online tools (many which are free) that will compare a given email address against billions of stolen data records from known hack attacks and data breaches.
The most notable tool is Have I Been Pwned (HIBP), which shows you in a flash whether your email address appears in global data leaks. HIBP was created by well-known security expert Troy Hunt and has been one of the go-to data leak databases for over 12 years. If HIBP reports that your email address or login credentials were leaked, don’t delay.
It’s especially important if you tend to use weak passwords, or if you’ve used weak passwords with your forgotten email accounts and online profiles. Here’s why this can be an issue:
- Weak passwords are weaker than ever: Passwords that were once acceptable are now weak and quickly cracked by modern systems.
- You aren’t monitoring them: Since you no longer log in to your old accounts, you don’t notice any intrusions. Hackers can nestle in your digital basement undisturbed for months or years.
- They’re used for backup recovery: Old email accounts are often used as backup or recovery addresses for your newer email accounts. If an old email account is taken over, it can serve as a bridge to take over your current email accounts as well.
- The reset cascade: Once access to an email account is gained, the domino effect begins. Hackers can systematically hijack your accounts for Amazon, PayPal, banks, social networks, etc.
Security checklist for old email accounts
Before you decide whether an old email account should be deleted or kept, take stock. Go beyond just looking at the inbox.
An extra crucial step is to look at the activity log, which shows you where and with which device someone last logged in. On top of that, particularly insidious are so-called “silent killers,” in which hackers set up hidden redirects to quietly intercept password reset links.
Here’s everything you should check on an old email account:
- Activity log: Check for logins from unfamiliar locations and/or unknown devices on unusual dates.
- Forwarding and filters: Search your email inbox settings for rules and filters that automatically copy or delete emails.
- Recovery data: Update any old mobile numbers or secondary email accounts that you no longer have access to.
- Third-party apps: Revoke access to your old email account on any linked apps, games, web services, etc.
Keep or delete? Your two options
Once you’ve taken stock, it’s time to make a strategic decision. If you want to keep the email account, you should secure and harden it ASAP. If you decide to deactivate it, you’ll want to be patient—don’t delete the account on a whim, but rather ensure a clean transition so that no stranger can ever take over your old digital identities later.
What’s tricky is that many email providers release deleted email addresses to new users after a blocking period. Anyone who registers a new account using your deleted email address could potentially gain access to your accounts via the “forgot password” function.
Option 1: Harden the account
- Password cleanup: Change the password on the account to something new and complex. Aim for at least 12 characters with special symbols, but the more the merrier. Better yet, consider switching over to passkeys wherever possible.
- Activate two-factor authentication (2FA): 2FA is an absolute must these days if you care about account security. Learn more about locking down your accounts with 2FA properly.
Option 2: Delete the account properly
- Inventory and relocate: Hunt down all the services that are linked to the email account (or at least the most important ones) and transfer them to your current email account.
- Wait through a test period: Leave the old email account open but inactive for at least 4 weeks and see if any important emails come in during that time. If you’re concerned, you can wait even longer.
- Final deletion: Permanently close the account with the provider.
Are premium email accounts worth it?
In a world inundated with free services, we often pay with our data and/or a lower margin of security. If you need even more privacy and/or security, a premium email account from a specialized provider can prove to be a sensible investment.
Potential benefits include:
- Hardware token support: A hardware token is a physical device that you can use to verify your identity when logging in to a service. For example, a YubiKey 5C Security Key.
- Customer service: Quick on-demand help from real employees instead of automated bots when your account is hacked.
- Data privacy: No analysis of your emails for advertising purposes.
Take 15 minutes to protect your digital life
Online security is not something you can “achieve” once and for all, then forget all about it. It’s an ongoing process that demands constant vigilance, with regular hardening and revisiting.
A forgotten email account is like an open back door to your house—it doesn’t matter how secure your front door is as long as this hole exists. Our advice? Take the time for this digital housekeeping. It’s a small investment that can save you a lot of trouble down the road.
Further reading: The best antivirus software for Windows
