Today is the day Google implements a new policy in which it reserves the right to delete accounts that are inactive for two years. The company defines activity as “the actions you take when you log into or while logged in to your Google Account.”
- Read and send email
- Using Google Drive
- Watch YouTube videos
- share photos
- Download the app
- Using Google Search
- Sign in to third-party apps or services using Sign in with Google
The move was largely praised by cybersecurity experts, who said: keeper security I got it:
“Inactive accounts may have weak or unchanged passwords, creating vulnerabilities to unauthorized access or potential exploitation by cybercriminals, such as phishing attacks or data breaches. This can pose significant cybersecurity risks.”
and security engineer Colin Little. afferentI agreed:
In any digital environment, inactivity and “disruption” represent some level of risk. In particular, many inactive or legacy email accounts are likely to predate MFA, geolocation profiles, and other modern security controls, making them a higher risk. Masu. Therefore, if an inactive legacy account suddenly becomes active, not only will the original user of that account not be aware, but Google itself will be able to determine if the activity was by an authorized user or if the account was misused. There is no way to know if it was done by an unauthorized user. Furthermore, because these inactive accounts predate our current security controls, Google has no mechanism to prevent unauthorized access. Because it’s common for users’ email addresses to be used to sign up for third-party services, and for those third-party services to be compromised and their email and password combinations to be stolen, I foresee a number of risks. for months or in some cases for inactive accounts. It doesn’t take years for an email account to suddenly become active again and be exploited by bad actors, or for cybercriminals to access and steal the contents of your email account, which may contain sensitive information. ”
Ben Hutchinson, Associate Principal Security Consultant Synopsys Software Integrity Group Maintaining an inactive account is like not replacing an old, cracked window on your property. He added: “Compromised accounts can gain access to other platform services, users can reuse passwords for other accounts, and in certain cases of email compromise, a single account can be compromised. A cascade can occur if a compromised account is linked to one of these, ultimately leading to further takeovers. In combination with the compromised credentials, they attack other systems/services in hopes of ”
Darren James, Senior Product Manager Specops software – Ann outpost 24 The company added:
“In the past, rather than using a personal email address, people often used free services like Google to create disposable email addresses. These mailboxes were used for specific tasks. It can be used and then forgotten, which consumes resources on the Google platform, but also comes with other potential risks.
- They usually have terrible passwords, and they may use the same passwords for their regular Google email accounts and other online services.
- 2fa is rarely enabled.
- Emails in these mailboxes, whether sent or received, may contain sensitive information about the actual user who created the email.
- These can be used to launch phishing scams, malware, and account takeover attacks.
“Google should be commended for ‘cleaning house’ as this makes them an easy target for threat actors. Some personal data may be lost, but from a security perspective, it certainly makes sense. ”
Another problem is impersonation, which can lead to sophisticated social engineering attacks. “Apart from shared authentication, one of the most dangerous aspects of a compromised dormant account is imitation,” explains security expert Brian Higgins. Comparitech. “With access to contacts and old email conversations, it is very easy to create believable messages that pretend to be fraudulent or extort money from the account owner. Depending on the nature of the account, it may store financial or business information that could be used by bad actors to commit further crimes. ”
He further added, “It is widely agreed that it is good cyber hygiene to ‘weed out’ accounts etc. in this way to mitigate all these vulnerabilities, but this issue should not be taken into account at launch.” Most established platforms don’t have a protocol because it wasn’t. By 2050, it is estimated that there will be more deaths on Facebook than actual account owners, and since only the owner can delete a Twitter/X account, Requires server resources to maintain it. Google, from a sustainability perspective, it makes sense for all big tech companies to consider ways to remove inactive users. ”