Is it good practice to delete old accounts?

Question

Is it a good idea to delete all old accounts you no longer use?

This was asked specifically about email here, but what about your Stack Exchange account? Or your social media accounts, old forum logins, abandoned cloud services?

To avoid the question being too broad, I'm asking specifically about the sometimes recommended practice of seeking out all your old accounts and deleting the ones you don't want. There are sites that help with this, such as "Just Delete Me" and "Account Killer", and suggest it is good security advice to do so.

Yes. (The answer is really that short to me but there is a 11 character minimum) — Kevin, Jan 23 '19 at 16:43

score 6 · Answer 1 · answered Jan 23 '19 at 19:03

6

Every account you have most likely contains personal (and potentially financial) information about you in one way or another.

The more accounts you have with different websites, forums, games etc, the increased chance that one of these accounts could be involved in a data breach.

I don't see a downside in deleting old accounts. This minimises risk, minimises your digital footprint and if you aren't using them then it shouldn't effect you if you get rid of them.

answered Jan 23 '19 at 19:03

HCF3301

211
1
2

Does it have any negative consequences for SE, and should I care about them? – user25221 Jan 24 '19 at 09:07
@user25221 There are no negative consequences to deleting your account on SE. – forest Jan 25 '19 at 03:03

score 2 · Answer 2 · answered Jan 23 '19 at 20:22

2

To an extent it could be considered good practice. However in most data breaches, the criminal is not interested in if an account is active or not. If you delete your account, your data persists on that system. Companies could do this for compliance reasons for keeping records or some other reason. Just because you tell them "delete" doesn't mean they deleted your PII (personally identifiable information).

answered Jan 23 '19 at 20:22

e-Euler

56
4

Note that this can be different due to GDPR: A company is obligated to remove any PII when requested under most circumstances. Whether or not GDPR is applicable and if a company should remove data is based on a lot of factors so if you are not sure, please contact a certified adviser. – Kevin Jan 23 '19 at 20:29
1

@KevinVoorn deleting your account and telling the service to delete all your PII from their systems are different things. – schroeder Jan 23 '19 at 20:32
@schroeder True, although both should be noted in this context. – Kevin Jan 23 '19 at 20:34

score 2 · Answer 3 · answered Jan 24 '19 at 07:01

Yes. I have tidied up my list of used accounts recently myself, so I would consider it good practice. Either keep your account information current or delete the account.

I have had some no longer actively used e-mail addresses: In case you registered for an account with an email that you no longer control, someone else could register that address first, then take over that account (with "reset password") for identity theft.

However, with some accounts it is very hard to get them deleted, for example with amazon.com, among others. In these cases I obfuscated the data to the extent possible.

Upvoting specifically for the `In case you registered for an account with an email that you no longer control, someone else could register that address first, then take over that account` piece. — sarnold, Jan 25 '19 at 02:57

score 1 · Answer 4 · answered Jan 24 '19 at 23:51

Like some of the other answers have said, every account has at least a small part of your user information in it somewhere. While that account exists, there is a possibility of that information leaking out through:

An attacker accessing the account: Someone may guess your password, or it may become part of a leak and an attacker will log in and copy out your information.
The site leaks your information directly: Even without exposing the password, the provider may leak your account information as part of an attack, or through privacy-hostile actions.

Deleting your account is one good way to avoid this kind of information leakage.

But I would argue that deleting the account does not protect you from the second case. When you delete your account, nothing (except recently GDPR in the EU) requires the provider to delete your information. So simply deleting the account cannot protect you completely.

Instead, I would recommend inserting new, false, information into all parts of the account (changing your address, real name, email, etc) then deleting the account. It still cannot fully protect you, but it may prevent the information from being leaked in the case that the provider keeps you information around.

TL;DR: Yes. Deleting your accounts is a good idea for security. But more can be done.

Either keep the accounts active, regularly update passwords, and monitor for leaks and privacy policy changes. Or insert false information into the account before deleting it.

score 1 · Answer 5 · answered Jan 27 '19 at 19:05

If you are not using them & do not intend to use them, then yes, it is certainly good practice.

These accounts will hold information about you, and given how cheap storage & bandwidth are these days, they could be storing alot of information about you. Of-course there is no guarantee this will be removed, even if they claim to, but it is good to reduce the attack surface.

In-fact I would ask why wouldn't you delete accounts you don't use and have no want to use anymore? (Aside from possibly preserving public contributions, but then really you still have use for them).

Just as one should remove software they have no need for, to reduce the attack surface; one should do the same with online accounts.

Attackers will use any information about you they can find. The less information they can get hold of, the better.

Is it good practice to delete old accounts?

5 Answers5