Google begins deleting inactive accounts

Starting from today, a new Google inactive account policy comes into effect which means that accounts that haven’t been active for two years will be deleted.

So, what counts as ‘activity’? Google provides a helpful list:

  • Reading or sending an email
  • Using Google Drive
  • Watching a YouTube video
  • Sharing a photo
  • Downloading an app
  • Using Google Search
  • Using Sign in with Google to sign in to a third-party app or service

Activity is defined by the account not the device, so you won’t find yourself being deactivated just because you’ve switched to a different system.

Security experts have welcomed the news. Patrick Tiquet, VP of security and compliance at Keeper Security says, “Inactive accounts can present significant cybersecurity risks, as these accounts may retain weak or unchanged passwords, creating vulnerabilities for unauthorized access and potential misuse by cybercriminals for phishing attacks or data exposure. When you combine the personal information stored in these accounts and potential interconnections to other services, there is a heightened risk of identity theft and unauthorized access to linked accounts. Additionally, the lack of monitoring for inactive accounts increases the likelihood of users being unaware of suspicious activities, allowing bad actors more time to exploit the compromised accounts.”

Ben Hutchison, associate principal security consultant at the Synopsys Software Integrity Group echoes this view:

Continuing to maintain a large number of inactive accounts is a little bit like not replacing those old, cracked windows on your property and in essence the potential attack surface of the system. Inactive accounts provide a means of potential ingress or compromise for attackers to take advantage of, and since they have by definition gone unused for long periods of time, they may be protected by weak locks (passwords) and their owners (users) are unlikely to notice signs of compromise or unauthorized activity.

Compromising one account may lead to a cascade if the account compromised enables access to other platform services, the user reuses their password for other accounts or in the specific case of email compromise, providing attackers with the opportunity to abuse account reset workflows for other systems/services in combination with compromised credentials in the hope that the compromised account is linked to one of these, leading to further eventual takeovers.

You will get advance warning before any action is taken to delete your account, with emails to both your Google account and to your designated recovery email — if you’ve set one up.

Image credit: Pixinooo/