Practical privacy and simple cybersecurity.
TheNewOil.org

How to Handle Old Accounts

If you’re like me, you probably lived a very long (in digital terms), very public life before getting into privacy and security. That means now that you’re into privacy and security, you’ve got a long trail of old, unused accounts either from old services you stopped using (raise your hand if you still have MySpace) or from services you tried out and never came back to. So this week, let’s talk about how to find those old accounts and what to do with them.

Why Does It Matter?

Before we dive in, let’s talk about why you should bother finding and neutralizing old accounts anyways. The short answer is because these accounts are a risk. If you created these accounts back before you were into privacy, they probably contain a lot of personal information about you like family members, friends, where you live/lived, your lifestyle and interests, pictures of you, and so on. This information can be abused for anything from stalking to social engineering and identity theft. Furthermore, social media scans are now considered a common part of employment background checks. I don't know about you, but I would hate to get passed over for a job for something dumb I posted five years ago that I might not even believe anymore.

As I often say, you should treat anything you post online as public record. Data breaches are a thing. 2020 saw an average of 7 million records exposed per day – a “record” being a data point such as a name, date of birth, or email address. This means that the longer you have those old accounts sitting out there, the more likely they are to get swept up in a data breach, exposing old messages, photos, email addresses, and passwords. And again, since those accounts were probably made before you were into privacy and security, that means they’re probably using a weak password that you’ve reused on other sites, opening the door for a domino effect of stolen data, phishing scams, and stalkers. So yes, you should attempt to find and close as many of your old accounts as you can.

Seek…

In order to close old accounts, you must first find them. You can probably remember many of them just by thinking back on your life and remembering the services you used to use. MySpace, LastFM, LiveJournal, Tumblr, Yahoo, these are just a few services that enjoyed a period of large popularity but have since declined. They may not be gone, but they’re not what they used to be. Going through your head and looking back on your past will probably remind you of some of the more prominent ones. But what about the ones you forgot?

There’s two main ways of finding old accounts. As much as I discourage the use of Google, I think they are probably the best search engine to use for this step. If you’re like me, you probably had a small number of usernames you used almost exclusively back in the day. Start by going to Google and searching those usernames in quotes, one at a time. The quotation marks are important, because that tells Google “only search for this exact thing and show me exact matches.” Once you’ve started running out of relevant search results, do the same thing but this time with your email address(es). This will likely turn up any other accounts that were not username based.

Often times, especially if this is the first time you’ve done this, this will probably bring up several of your accounts. Make sure to dig deep. Don’t stop at page 1, I recommend going to at least page 5 or 10 depending on how large your internet presence has been in the past. Just keep going until you go through a couple pages in a row of results that have nothing to do with you. This strategy will also likely bring up your personal information – like full name, address, and phone number – on a lot of people search websites. This is something I plan to talk about in the future, but for now this falls outside the scope of this post. If you're freaked out and feeling the urge to act immediately, I recommend this workbook from Michael Bazzell. It’s the same one I use every year to check for and erase my own data.

...and Destroy

Once you’ve found these old accounts, you’ll probably be able to easily log into them. After all, you probably used the same easy-to-remember weak password (or variation thereof) all over the place. Once you’re in, it should be fairly easy to navigate the account settings and find a “delete my account option.”

Should I Blank My Information First?

There’s a lot of debate in the privacy community about whether you should delete your old data first or if you should just go straight to the account deletion option. I think for most people, just immediately deleting the account is plenty fine. If you have a history of stalkers or a similarly higher threat model (or you simply want to go the extra mile), it may not be a bad idea to erase all the information or fill it with false information first and let it sit for 30 days before deleting it. I certainly don't think you're hurting yourself or exposing yourself to any extra risk by doing so.

What if I Can’t Delete My Account?

Some websites make it a nightmare to delete your account (coughAmazoncough) but if you’re positive you’ll never use the site again (or you can easily re-sign up if needed), I encourage you to go through this process. On the other hand, it’s rare but some websites won’t allow you to delete your account even after contacting customer service. If you live in Europe you can try to pull the GDPR card, but personally I think at that point there’s a better solution: paint the walls, lock the door, and never look back. If a service refuses to let you delete the account, empty it as much as you can. Delete names, bios, pictures, emails, everything you can. If something can’t be deleted, then replace it with fake information – a black box instead of a photo (or a photo of a dog, not your dog), a fake name, a forwarding email address, etc. Finally, change the password to the longest, most complex password the service allows, log out, clear your cookies, and forget they exist. It may not be a bad idea to hold onto that login information just in case. Regardless, the point is to make your account useless to anyone who looks. Stalkers won’t find any useful information about you. Cybercriminals won’t be able to get into the account. As time goes on, any real information they may have had about you will become more stale, so even if they suffer a data breach the exposure will be minimal. It should be noted that this is not good advice if you’re facing a highly advanced and dangerous adversary, such as being actively targeted by a government, but for 90% of my readers – the “average person” – this is a perfectly good solution.

When Not to Delete Accounts

Real quick, it would be remiss of me to note that there are times I don’t recommend deleting your accounts. I was a Google user for over ten years. I made the privacy switch several years ago and I still get the occasional email at my Gmail address that I want: an old account I found that needs to be deleted, an old client looking to reconnect, etc. I don’t ever recommend deleting any accounts you used for contact, two-factor authentication, professional or official purposes, or that you actively used for long periods of time. I do recommend changing the information in those accounts – removing names and such – using strong passwords and two-factor on them, and changing how you use them (ex: that Gmail account forwards to my new primary email account and then deletes the message in Gmail. I respond from my primary account, cutting Google out of the picture entirely). You run a serious risk when deleting such important accounts that you may need them for something important at a later date. Make sure not to burn any important bridges.

Moving Forward

I preach privacy and redundancy. That means having multiple accounts in case something goes wrong with one of them. I have both ProtonMail and Tutanota. I have several messenger apps and accounts, and multiple VPN services. This is in both my personal life AND my life as The New Oil, so I’m not necessarily preaching digital minimalism. As we move through life new, better services will pop up. Existing services will discontinue or become less desirable for any number of reasons. That means we will constantly be making new accounts and abandoning old ones. The trick is to move forward responsibly. If you make an account with a new service to test it out and end up not using it, be sure to erase it. If you move on to a new service and decide not to keep the old one for whatever reason, be sure to erase it. Stay on top of your stuff so that you can be future-proof. Don’t let past mistakes come to haunt present-you.

You can find more recommended services and programs at TheNewOil.org, and you can find our other content across the web here or support our work in a variety of ways here. You can also leave a comment on this post here: Discuss...