As Google starts deleting old Gmail and Photos content, security experts explain why it’s happening and why you must act right now to protect your data.
Google starts deleting inactive Google accounts on December 1, with Gmail, Photos, Docs and Drive content all in the purging crosshairs. With 1.8 billion Gmail users and even more when it comes to Google Photos, this will impact many people. As I reported previously, even if just 1% of accounts get deleted, then between 18 and 20 million will be affected. While many users are undoubtedly worried about this move, and I urge everyone to check their accounts as a matter of some urgency now, Google maintains that user security is behind the move. So, I thought I’d ask the security experts if that checks out.
The Gmail And Photos Deletion Security Conundrum
In May 2023, Google vice president of product management Ruth Kricheli stated that unused accounts are “more likely to be compromised” by malicious actors than active ones. One of the reasons is that they are “10x less likely than active accounts” to use two-factor authentication, a highly effective account compromise protection tool.
According to Elliott Wilkes, chief technology officer at Advanced Cyber Defence Systems, there are a couple of things to consider when looking at the risk posed by these old and inactive accounts. “It is well-known within the cybersecurity community (and within cybercriminal communities) that users share passwords across accounts,” Wilkes explains. “When one of the sites is compromised and has a data breach, attackers grab the leaked username, email, and password combinations and then try those for other sites.” Then there’s the impact of that compromise, especially where a Gmail account is concerned. “Email is used as an identifier across the internet,” Wilkes says, “and so clever cybercriminals can use this to impersonate you, through using the email to reset other account passwords.”
MORE FROM FORBESGmail Hackers Leave Vital Clues Behind-Check These 3 Things NowBy Davey Winder
Account Connections Pose Security Threat
Jamie Akhtar, CEO at Cybersmart, agrees. “The risks associated with dormant Google accounts are considerable,” Akhtar warns, “If the account is connected to other Google services such as YouTube, Google Drive, or Google Photos, a hacker can easily access and misuse or hold that content/data for ransom. Worse still, if the account is connected to financial services like Google Pay, you could be left seriously out of pocket.”
Inactive Often Means Unobserved, And That’s A Security Red Flag
And then there’s the not-so-small matter of inactive, which also often means unobserved. “Because they aren’t actively used, any unauthorized activity can go unnoticed,” Javvad Malik, lead security awareness advocate at KnowBe4, explains. “Also, many people can forget which services they signed up for using that particular email, and password reset requests will often involve a reset link being sent to the registered email, which can then be used by criminals further. This could include things like facilitating identity theft, financial fraud, or reputational damage.”
Account Deletions Are A Big Privacy Win For Google And You
“Let the dead rest in peace,” says Ian Thornton-Trump, chief executive security officer at threat intelligence platform Cyjax. “I can see no compelling reason that abandoned accounts after two years of inactivity should not be deleted.”
Thornton-Trump told me that long-established businesses are getting breached all the time, and this information could “lead a malicious actor to an old email account using an inactive account in a cloud system which is unlikely to have multi-factor authentication enabled.” Thornton-Trump concludes that this is “a big privacy win and cost savings for Google; a two-year data deletion policy due to inactivity is a reasonable approach to shrinking people’s digital footprint.”
MORE FROM FORBESHackers Target Gmail-Secure Your Account Now With These 3 StepsBy Davey Winder
How To Prevent Google From Deleting Your Gmail And Photos Content
You still have time to protect your Gmail, Photos and other content as Google has stated it will start by deleting those accounts that were established but never used again. So, what do you need to do as a matter of some urgency?
Business Google accounts are out of scope as far as this deletion policy is concerned, as are educational ones. If your account includes YouTube content, then it is also safe. For everyone else, you need to log in to any Google accounts you are worried might not have been used in a while. This act alone will save it from the big delete key and save your data along with it. As I reported earlier this month, account access covers a lot of ground in terms of what will flag one as being active. Regarding Google Photos content, you must have logged into that account specifically within the last two years.