Privacy Fix: Search and Destroy Old Email Accounts

An unused email address can be a backdoor to your entire digital life

Old email security iStock-188056345 iStock-165078711

A lot of people have more than one email address, from old college accounts to long-forgotten AOL handles.

Spare email accounts can be useful for things like separating work from your personal life or filtering out spam. But if you have old email addresses that you aren’t monitoring, you may be putting your privacy and security at risk.

“Old email accounts are especially valuable for the cyber criminal because we don't go back and check them, which makes it more likely that a compromise will go unnoticed,” says Adrien Gendre, chief solution architect of Vade Secure, an email security firm. “It’s a vulnerability that a lot of people don’t realize they have.”

However, there are easy ways to stay safe.

Here’s what you need to know about the dangers posed by old email accounts, and a few simple steps you can follow to protect yourself.

The Risk

Breaking into an email account doesn’t require advanced hacking techniques. All a bad actor needs are passwords, and they can be easy to come by.

“Over the last two years, we've seen a lot of massive data breaches” that have leaked billions of usernames and passwords for a wide variety of services, Gendre says. Those credentials are for sale on illicit sites.

The bad guys know that many people make the mistake of reusing login credentials, and it's easy to use automated software to plug those passwords into other online services, hoping to stumble across a match. It's a hacking method known as “password stuffing."

More on Privacy

A hacker may also get to passwords through a phishing scam, where a fraudulent message tricks you into giving up a password for an email or a banking account. In addition to the immediate problem of giving up access to an account, you're subject to the same risk from password stuffing.

These techniques are cheap and efficient, Gendre says, and “we’re seeing it more and more.”

This kind of exposure can happen on any account, but dormant accounts are often more vulnerable because they get less of your attention as time goes by.

“If it's an older email account, you may not have touched since before you got into a good security habits, like using a password manager,” says Dan Guido, founder of the cybersecurity firm Trail of Bits.

And when something goes wrong, you may not notice until it’s too late, a problem that affected many Yahoo users in 2016 when the email provider experienced a breach of over a billion accounts.

When an email account falls into the wrong hands, it can be used to break into your other services and leave you open to identity theft or other problems. By snooping through your inbox, it’s easy to find other services you’ve signed up for using that email address, reset those passwords, and take control. The attacker can also use the email account itself to impersonate you online.

“Where it starts to get really problematic is when accounts overlap,” Guido says. “If you're using an old email account as a password reset mechanism for your primary email address, that becomes the weak link, and suddenly there’s a backdoor.”

The Solution

“One of the main strategies that I use to keep myself safe is to limit the number of things I need to pay attention to,” Guido says.

The best way to do that? Delete any unused account. A dormant email account is a security weakness you don’t need. In fact, finding and deleting all the old accounts you don’t use, from social media profiles to photo-sharing sites, is one of the easiest ways to protect your privacy and security.

Deleting accounts on major services like Google, Yahoo, or AOL is usually straightforward, though you may need to wade through multiple settings pages to find the kill switch. If you can’t figure out how to do it, get in touch with an administrator. Try sending a message to “admin” at your email domain name if all else fails.

If you don’t want to delete the account, take a few steps to give yourself a privacy boost. Some of the advice provided by security pros is the same you’ll hear for every online account.

“Make sure you use a unique password for each service,” Gendre says—a password manager can make that an easy project. If you're not reusing passwords, then you're not vulnerable to password stuffing.

Turning on two-factor authentication is also a critical step if it’s an option. With two-factor authentication, services will send you a verification code—via text or an app—to confirm your identity when anyone tries to access your account from an unverified location, device, or browser. That means that a password alone won't be enough to let a criminal log in.

Another strategy is to “devalue” the account to lessen the impact if something goes wrong. Guido recommends downloading all your old emails and erasing the data from the cloud. That way your personal information won’t be available to any online wrongdoers.

By the same token, you should separate old email addresses that you want to keep, but don’t check regularly, from any other services. If you’re not keeping an eye on an old inbox, you shouldn’t be using it as a backup to reset the password for other important accounts.

“These assets should be totally separate and isolated,” Guido says. “You want your digital life to be as simple as possible.”

Digital Housekeeping

Do you ever feel overwhelmed by the number of log-ins and passwords you have? On the "Consumer 101" TV show, Consumer Reports’ expert Bree Fowler explains to host Jack Rico how to find and eliminate old online accounts.

Headshot image of Electronics editor Thomas Germain

Thomas Germain

I want to live in a world where consumers take advantage of technology, not the other way around. Access to reliable information is the way to make that happen, and that's why I spend my time chasing it down. When I'm off the clock, you can find me working my way through an ever-growing list of podcasts. Got a tip? Drop me an email ( or follow me on Twitter ( @ThomasGermain) for my contact info on Signal.