A few years back I had an unusual request from a client to investigate their spouse’s online history for evidence of possible infidelity. I was asked to handle it discreetly and under the guise of investigating their computers for possible hacking or malware infection. Interestingly enough, it turned out that their computers had been hacked and the attackers had resurrected an old account from a dating site that the spouse had used when they were single. A friend had spotted the activity and brought it to the spouse’s attention who then brought it to me. Even though this cleared up one potential home-wrecking situation, it was only the tip of the iceberg for the couple, as this was only one of many accounts that had been compromised in the identity theft.
How many zombie accounts do you have?
One of the most overlooked double-edged swords of online services is the requirement of creating yet another account to access those services. These companies, for the sake of convenience, use your email address as the login, and it’s highly likely you, also for the sake of convenience, will use a password that is being used elsewhere, possibly repeatedly. Those of us who think of themselves as only “casual” online participants will have dozens of accounts, and those of who have lived and worked online since the birth of the internet will likely have created a hundred or more, with a large majority of them long forgotten and assumed dead and buried.
Many companies, from startup to Fortune 50, do not actively prune unused accounts, and many do not offer a way to remove or deactivate an account, regardless of whether it’s highly active or never been used. It’s also possible for the data of a company that has gone out of business to end up on another company’s server, also forgotten and not maintained by the new custodians, and worse, not even accessible by the customers that created that data in the first place. Unfortunately for us, out of sight is not out of mind for a hacker, and these forgotten troves of data are often not as well protected or even monitored by the company who is supposed to be securing it.
What does this mean for me?
First, stop using the same password for multiple accounts. If one company gets hacked and your data is compromised (Has your login or password already been compromised?), it’s only a hop, skip and a jump for that login credential to be cross-matched on a dark-web database. Suddenly that LinkedIn account which you haven’t used in years has risen from the grave and bitten you right on the you know where on an account that does matter to you.
Secondly, take a lazy Sunday morning to go through your email looking for new account emails from long-forgotten accounts. You can search for them by using phrases like “new account” or “your password” or “account activated”. Make a list and then consider deleting or deactivating any of the accounts you are not using. There is no tried and true way to do this – each service (if it still exists) will have a different process for removing the old accounts, and some will do their damnedest to keep you from leaving, but no one ever said that being safe online was easy, so buckle up and dig in.
Thirdly, consider deleting those very same emails you just found that led you to those old accounts, especially the ones you are planning to keep, and particularly if they actually contain passwords. If you found them, someone with unauthorized email accounts can find them as well and figure out ways to get into those accounts, especially if the emails contain passwords.