Can you recall every online service account you have? Maybe you signed up to access some content or because a friend asked you to, then lost interest. Many users simply stop logging in and don’t bother to delete their accounts. The accounts sit there, dormant, waiting to be hacked — but if they are, you won’t know about it anytime soon, if ever.
Abandoned account: What could go wrong
Does it really matter what happens to an unwanted profile, though? If it gets hacked, so what? You didn’t need it anyway. However, in some cases, an abandoned account can be exploited to gain access to resources and important information that you do need. Here’s what you need to know.
1. Social network accounts
Few people regularly check their accounts in all of their social networks. Say, for example, a person creates a Facebook profile, uses it to log in to Instagram and other services (handy, right?), and then realizes he doesn’t actually need Facebook — not an uncommon scenario. Sure, the social network continues to send e-mail notifications if the user didn’t bother to disable them, but they get filtered into a separate folder that he quit checking long ago.
Again, a more-than-plausible scenario. When the user receives an e-mail warning that someone logged into his account from an unknown device, he doesn’t see it. The cybercriminals who logged in have a free shot at the accounts linked to Facebook. They will also probably have time to sting some of the victim’s friends or followers on Facebook.
What to do
- Set up two-factor authentication. Lots of services offer it; here are our posts on setting up security, including 2FA, in Facebook and Twitter.
- Enable notifications about account logins from unknown devices — and pay attention to them.
2. Backup e-mail address
Many people set up a separate e-mail account for mailings and notifications so as not to clutter up their main mailbox, and use it for registering everything and anything, including profiles with important data. And no incoming e-mails there are from real-life people, so they don’t check it very often. Therefore, they may not notice for a long time that their backup e-mail has been hacked — at least not until they lose access to a very important account.
What to do
- Enable two-factor authentication for this account.
- Set up forwarding of messages from this mailbox to a separate folder in your primary e-mail account.
3. Password manager
What if you saved your account credentials in a password manager, and then decided to replace it with a different app? The profile in the old manager doesn’t go anywhere, and neither do the passwords in it (half of which you probably didn’t change). If someone gains access to this profile, they will be able to get into your accounts. And even if you do discover the theft of an account, it won’t be immediately obvious how the cybercriminal got hold of the password for it.
What to do
- Delete accounts in password managers if you no longer use them.
4. Online store account
Many stores invite you to link a bank card or online wallet to your account to make shopping easier. Some even do it automatically. If you are a frequent user, the temptation to do so is great. In addition, the profile is likely to contain your home or work address for delivery of goods, plus other valuable personal data.
But there may come a time when you stop using the service. If the account remains live and gets hacked, the cybercriminals will gain access to your data, which you will probably find out about only when they try to buy something in your name. Or just buy, without the trying bit, since not all services request an SMS code to confirm the transaction.
What to do
- Do not link a bank card to an online store account.
- If the service saves the card automatically, don’t forget to unlink it.
- Consider using a separate card with access to a small amount of money for online shopping.
5. Google work account
It is common to create separate Google accounts if you need access to Google Analytics and other services at work. Keeping personal and work profiles separate makes perfect sense. The problem is that many people forget to delete Google work accounts when they change jobs.
As a rule, company-created accounts are immediately blocked by IT security after the user departs. But they might miss ones that the former employee set up on their own, such as a Google account. The result could be one or more unclaimed accounts swimming around in the online ocean, offering passing sharks access to work documents and other confidential information. The hacking of such an account will be very, very hard to detect, because no one will even remember it exists.
What to do
- The outbound employee doesn’t need to take any additional steps.
- The company has to revoke access to all services and Google accounts used by said employee.
6. Phone number
To keep their main phone number out of spam databases, some users have a separate one for various services, loyalty cards, bonus programs, public Wi-Fi networks, and so on. And sometimes the same phone number is used for two-factor authentication as well. Although technically a number is not an account and cannot be abandoned in the full sense of the word, problems can still arise. On the one hand, a number of accounts are linked to this number. On the other hand, you are unlikely to use this number for calling or texting.
The bottom line for the telco, meanwhile, is that an unused SIM is unprofitable. If you need a number solely to receive SMS messages and never spend anything on the account, the carrier can block it in three months and then resell it.
Sometimes those numbers are snapped up instantly, so you may not have time to relink your accounts to the new SIM. The buyer, on the other hand, will be able to find your accounts in the respective online services — and if they change the passwords, recovering won’t be easy.
In particularly unfortunate cases, the new owner can even get access to bank accounts and online wallets linked to the number and spend your money before you have time to notify the bank. For example, a woman in California had her credit card charged after her operator recycled her number to another customer.
What to do
- Set a reminder to yourself to call or send a text from your additional phone number at least once a month.
- Always keep a positive balance on this phone.
How to avoid problems with abandoned accounts
As you can see, even an unneeded account can cause a lot of problems if hijacked. Preventing a problem is much easier than dealing with its consequences. Therefore, we recommend that you keep track of your accounts. Here are some general handy tips:
- Recall which online services you have registered for. Check which phone numbers and e-mails your accounts in social networks, online stores, banks, and other important services are linked to, and unlink all current profiles from inactive phone numbers and mailboxes.
- If you log in somewhere through Facebook, Twitter, or Google, or keep an additional e-mail or phone number for newsletters, public Wi-Fi, etc., check those accounts from time to time.
- If you decide to stop using a password manager, online store, or social media account, delete your accounts in these services.
- Turn on account login notifications in services that have this option — and review those notifications promptly.
- Use a security solution such as Kaspersky Security Cloud, which will notify you of leaks in services you use.