According to a report from Okta, inactive and forgotten accounts pose significant security risks to both users and businesses, with cyber criminals adept at exploiting the information stolen from such accounts to compromise active accounts. The report surveyed over 20,000 consumers from 14 countries on their online experiences and attitudes towards digital security and identity. It found that increasing identity sprawl, due to accounts that have not been used, or thought about in years, can trigger significant account takeover (ATO) security risks. These risks are particularly significant if customers reuse (or only slightly alter) passwords or fail to perform security reviews.
The proliferation of online accounts is most common among younger users, but it’s significant across most age groups. The older accounts are often forgotten and remain unused for years. A significant challenge of account churn is the ability to securely manage and maintain digital footprints across large numbers of accounts. The report also found that while 71% of respondents are aware that their online activities leave a data trail, only 44% take steps to mitigate the risks.
Password management appears to be a particular sticking point, with 63% of respondents admitting that they are unable to log in to an account because they forgot their username or password at least once a month. While password resets are usually possible, users might decide that the process is simply not worth the effort, leading to more account inactivity. Only 52% of respondents reported that they still have access to all of their accounts, while just 42% use different passwords for each account and only 29% regularly review/change account privacy settings.
Inactive accounts that haven’t been accessed in an extended period are more likely to be compromised. “This is because forgotten or unattended accounts often rely on old or re-used passwords that may have been compromised, haven’t had two-factor (2FA) authentication set up, and receive fewer security checks by the user,” says Google. Abandoned accounts are at least ten times less likely than active accounts to have 2FA set up, making them particularly vulnerable. Once an account is compromised, they can be used for identity theft or as a vector for unwanted or malicious content.
More than 80% of breaches involving attacks against web applications can be attributed to stolen credentials, according to the Verizon 2022 Data Breach Investigations Report. Cyber criminals prioritize stolen credentials to enhance attacks and bypass security measures. They are even willing to shift away from malware in favor of credential abuse to facilitate access and persistence in victim environments. This trend has also created a clear demand for access broker services – criminal groups that sell stolen access credentials. There was a 112% year-over-year increase in advertisements for access broker services last year, with more than 2,500 advertisements for access detected across the criminal underground, according to the CrowdStrike 2023 Global Threat Report.
To address inactive accounts’ risks, Google announced that it is updating its inactivity policy for Google Accounts to two years. This means that if a personal account hasn’t been used or signed into for at least two years, it may delete the account and its contents. This includes content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar) and Google Photos, with the new rules coming into force no earlier than December 2023.
In conclusion, it’s important to keep accounts active or delete them altogether to avoid them getting compromised and being used as a vector for unwanted or malicious content. Users should also take steps to mitigate digital risks by performing security reviews and using different passwords for each account. It’s essential to be aware that their online activities leave a data trail, and more needs to be done to increase password management awareness to help prevent unauthorized access to accounts. By taking steps to mitigate these potential risks, individuals can help stay protected and keep their data secure.