If this helped, forward it to one person who’d benefit.
That shopping account from 2014, the old email address, the forum you joined once. You forgot them. Scammers didn't. Here's the 15-minute cleanup that closes the door.
Quick question: how many online accounts have you created in your life? Not how many you use. How many you've created. Streaming trials, shopping sites, an old Yahoo or Hotmail address, that fitness app from a New Year's resolution, the forum you joined to ask one question in 2011.
For most adults, the honest answer is well over a hundred. And almost all of them are still out there: still holding your name, your email, maybe a saved card, and a password you probably reused somewhere else.
Those forgotten accounts are what this issue is about. They're called dormant accounts, and they're one of the quietest risks in your digital life, because the danger isn't anything you're doing. It's what you did years ago and forgot.
What Dormant Accounts Are
A dormant account is any account you've stopped using but never closed. It still exists on the company's servers, with whatever you left in it: your name, email, address, birthday, security questions, payment methods, message history, photos.
Why that's a problem comes down to two things:
Old accounts get breached, and nobody tells you in time. Companies get hacked years after you stopped caring about them. When that happens, your old email and password end up in leaked databases that criminals trade and sell. (We covered this in the data breach issue, and dormant accounts are where most of those leaked passwords come from.)
Old passwords get reused. Here's the move scammers actually make: they take an email and password leaked from some forgotten site and try that same combination on your email, your bank, your Amazon. It's called credential stuffing, and it's automated. They're not guessing your password. They're replaying one you used ten years ago and maybe never fully retired.
Your weakest account isn't the one you use every day with a strong password and two-factor authentication. It's the one you forgot you had.
Why It Matters
A few real ways this comes back to bite people:
The old email address. If an abandoned email account gets taken over, the attacker can use it to reset passwords on every account still linked to it. An old email isn't just one account. It's a master key to others.
The saved card. Dormant shopping accounts can hold working payment details. A takeover becomes quiet fraudulent purchases.
The impersonation kit. Old social media profiles get hijacked and used to scam your friends and family ("Hey, it's me, I'm in trouble, can you send money?"). You may never even know, because you stopped logging in years ago.
The data you forgot existed. Old accounts can hold real answers to security questions, your birthday, your past addresses. That's exactly the information scammers use to sound convincing.
⚠️ What to Watch For
Password reset emails you didn't request, especially for accounts you barely remember. That's often someone testing the lock.
"New login" or "new device" alerts from services you haven't touched in years.
Your email showing up in a breach notification for a company you'd forgotten you ever signed up with. Take it seriously even if you "don't use that account anymore." The password might still be alive somewhere else.
What to Do Right Now
You don't need to find all hundred accounts. You need a 15-minute cleanup, repeated now and then:
Hunt down your account graveyard. Three places list it for you: your browser or password manager's saved logins, your email (search for "welcome," "verify your email," and "your account"), and your phone's saved passwords (Settings → Passwords on iPhone). Skim the list and pick the three oldest or most surprising accounts.
Delete what you don't use; strip what you can't delete. Log in and look for "delete account" or "close account" (often hiding in privacy settings; justdelete.me has direct links for hundreds of sites). If a site won't let you delete, remove the saved card, clear personal details, and change the password to something long and random you'll never need again.
Retire the reused password everywhere. This is the step that matters most. If an old account used a password you still use anywhere today, change it on the accounts that count: email first, then banking and shopping. Your email account is the master key, so protect it with a unique password and two-factor authentication before anything else.
That's it. Three old accounts today. Do three more next month, and you've quietly closed the doors that matter most.
What Most People Miss
Old email addresses deserve special attention. Some providers recycle or deactivate addresses after long inactivity, and an address that expires or gets taken over can still be the recovery email on your current accounts. Spend two of your fifteen minutes checking your main accounts' recovery settings: if any of them point to an email you no longer control, update it today.
One honest heads-up: some companies make deletion genuinely annoying, and a few won't truly delete your data at all. Don't let a stubborn site stall the whole cleanup. Strip it, lock it with a random password, and move on. Progress over perfection.
📌 Quick Takeaways
👻 Every account you've ever created still exists unless you closed it, along with whatever you left inside.
🔑 The real danger is password reuse: one leaked old password gets tried on your email and bank automatically.
📧 Old email addresses are master keys. Make sure your recovery email is one you still control.
🧹 The 15-minute cleanup: find three old accounts, delete or strip them, retire any reused passwords.
🛡️ Protect your current email above everything: unique password plus two-factor authentication.
✅ Bottom Line
You can't un-create a hundred old accounts, and you don't need to. The risk lives in a handful of places: reused passwords, abandoned email addresses, and saved payment details. Fifteen minutes of cleanup, starting with your email account, takes most of that risk off the table. The ghosts only haunt the doors you leave unlocked.Until next time — stay private, stay safe.
— Peter Oram
Chief Cyber Safety Evangelist
P.S.: I’m working on a practical iPhone safety guide for parents.
Reach out if you’re interested in early access.
Join the Community! A Facebook group where you can ask your questions, get tips, and help others.
Want more practical tips like this?
👉 Subscribe or read past issues at newsletter.cybersafety.group
Have a topic you’d like covered?
📬 Email me directly: [email protected]
FOLLOW US ON SOCIAL MEDIA
