Dormant and Dangerous: How Your Forgotten Online Accounts Become Open Doors for Cybercriminals
Think back to the last time you signed up for a free trial, registered on a niche forum to answer a single question, or created a gaming profile for a title you played exactly once. Chances are that account still exists. The password is probably the same one you used for everything else in 2015. And if a data broker or criminal marketplace has already obtained that credential from a prior breach — which is increasingly likely — your forgotten profile is no longer dormant in any meaningful sense. It is actively waiting to be exploited.
This is the ghost account problem, and it affects virtually every American with more than a few years of online activity behind them.
Why Abandoned Accounts Accumulate So Quietly
The average American adult maintains somewhere between 80 and 150 online accounts at any given time, according to various industry estimates. A significant portion of those accounts are effectively abandoned — created, used briefly, and then forgotten as life moved on. Old email addresses from ISPs that no longer exist. Loyalty programs for retailers that have since gone bankrupt. Social networks that peaked around 2009. Subscription boxes that were canceled after the first shipment.
None of these accounts disappear on their own. Unless a service explicitly purges inactive users — which most do not, because stored user data has commercial value — those profiles persist indefinitely on remote servers. Your username, email address, date of birth, shipping history, and hashed password remain in a database you haven't thought about in a decade.
The danger compounds over time. The longer an account sits idle, the more likely it is that the underlying service has experienced a breach that you never heard about and never responded to. You didn't reset the password because you didn't know there was a reason to.
The Credential-Stuffing Threat You Probably Haven't Considered
Cybercriminals have industrialized the process of exploiting forgotten accounts through a technique called credential stuffing. The mechanics are straightforward: attackers acquire large lists of username-and-password combinations — often sourced from prior breaches sold on dark web marketplaces — and then use automated tools to test those credentials across hundreds of other platforms simultaneously.
The success rate of credential stuffing depends almost entirely on password reuse. If you used the same password on an obscure recipe website in 2013 that you also used on your bank account, and that recipe website was later breached, the criminal with your old credentials now has a viable path into your financial institution. They don't need to hack your bank directly. They simply need you to have reused a password somewhere less secure.
Abandoned accounts are disproportionately vulnerable to this attack vector for two reasons. First, users are far less likely to have updated passwords on accounts they no longer monitor. Second, dormant accounts rarely trigger the same fraud-detection scrutiny as active ones, meaning unauthorized access can go undetected for months.
Finding Your Ghost Accounts: A Practical Starting Point
The first challenge is simply identifying how many forgotten accounts you have. This is harder than it sounds, but the following approach covers most cases.
Search your email inbox systematically. Open your primary email account — and any secondary addresses you've used over the years — and search for terms like "welcome," "verify your email," "confirm your account," and "you've successfully registered." This will surface a surprisingly large number of service registrations you've long forgotten. Create a running list.
Check your password manager or browser-saved passwords. If you use a password manager, review the full list of stored entries. Anything that looks unfamiliar or that you haven't accessed in over a year is a candidate for review. Browser-saved passwords in Chrome, Firefox, or Edge can be accessed through the settings menu and serve the same purpose.
Use a breach-monitoring tool. Services like Norton's built-in dark web monitoring scan known breach databases for your email addresses and alert you when your credentials appear in compromised data sets. This is one of the most efficient ways to discover not only which accounts have been breached, but which email addresses you may have forgotten you even used.
Check "Sign in with Google" or "Sign in with Apple" histories. Both Google and Apple maintain records of every third-party service you've authenticated through their platforms. Reviewing these lists often reveals accounts that never generated a welcome email in the first place.
Auditing and Prioritizing Which Accounts to Close
Once you have a working list, the goal is not to close every account indiscriminately — it's to assess risk and act accordingly.
Prioritize accounts in the following order:
- Any account linked to a payment method. Even if you haven't shopped somewhere in years, stored card data represents direct financial exposure.
- Accounts that use the same password as any current active account. These are your most urgent credential-stuffing vulnerabilities.
- Accounts tied to your primary email address. Compromising a peripheral account becomes far more serious when it can be used to trigger password resets on your main email.
- Accounts on services that have previously disclosed breaches. Check resources like the publicly available HaveIBeenPwned database to identify services in your list that have confirmed exposure.
For each account you decide to close, the process typically involves logging in, navigating to account settings, and selecting a deletion or deactivation option. Many services make this deliberately difficult — some require you to email a support team, wait a mandatory period, or navigate through multiple confirmation screens. Persistence is necessary.
Before deleting, revoke any connected app permissions and remove stored payment information manually. Do not assume the account deletion process will automatically purge that data.
What to Do When You Can No Longer Log In
A common complication is discovering an old account you can no longer access — the associated email address no longer exists, or the password is completely lost. In these cases, use the service's account recovery flow to regain access before deletion. If recovery is impossible, contact the service's privacy or support team directly. Under regulations like the California Consumer Privacy Act (CCPA), US residents in California have the right to request deletion of their personal data even without account access. Many companies will honor similar requests from users in other states as a matter of policy.
Ongoing Prevention: Keeping Ghost Accounts from Accumulating Again
Eliminating existing ghost accounts is only half the solution. Developing habits that prevent future accumulation is equally important.
Consider using a dedicated email alias for new account registrations — services like SimpleLogin or Apple's Hide My Email generate unique addresses that forward to your real inbox, making it easy to trace and close accounts later. Use a password manager to record every new registration the moment it occurs, so nothing slips through the cracks. And set a recurring calendar reminder — quarterly is reasonable — to review your account list and close anything you're no longer using.
Norton's suite of security tools, including its dark web monitoring and identity protection features, can serve as a continuous backstop in this process. Rather than relying solely on manual audits, automated breach alerts ensure that if a dormant account you missed appears in a compromised data set, you'll know about it before a criminal acts on the information.
The Accounts You Forget Are the Ones That Come Back to Haunt You
Cybersecurity conversations often focus on the threats that are most visible — phishing emails, ransomware attacks, suspicious links. Ghost accounts rarely generate that kind of urgency. They sit quietly, accumulating risk at a pace that is easy to ignore until the consequences arrive.
The reality is that every unused account you leave open is a small but real vulnerability in your overall digital security posture. Taken individually, any one of them may seem inconsequential. Taken collectively — across the dozens or hundreds of forgotten profiles that most Americans have scattered across the internet — they represent a meaningful and addressable exposure.
The process of finding and closing them is not glamorous work. But it is among the most concrete and permanent security improvements the average person can make without spending a dollar or mastering a single technical skill.