With the blogs in this series I want to reach not only my typical audience, security professionals, but especially less security aware people to help them improve their personal security. If you think the content is helpful for people you know, share it with them!
In the previous post I explained how important it is to remove redundant software in order to reduce security risks. The lesser desktop applications, mobile apps or browser extension the smaller the opportunity for criminals to exploit security holes.
The same principle of reducing the attack surface applies for your online accounts. Each one of them protects personal data. Forgotten accounts - often on outdated sites - or accounts that you no longer use, pose unnecessary risks. Remove the ones that you no longer need.
Know which accounts you have
If you want to know which of your user accounts are redundant you first need to know which accounts you have. Most people register accounts for a lot of online services and then over time forget about them.
If you're sure that you have a complete list of all your accounts - written down or stored in a password manager for example - you can skip the next section. Otherwise I recommend you to follow the tips to make your user account inventory as complete as possible.
How to find forgotten accounts
- Search for your name, email addresses or usernames you used in the past. Different search engines give different results. So don't limit yourself to your favorite search engine. A few examples are Google, DuckDuckGo, Bing, Startpage.
- Search in the inboxes of your different email accounts. Also the older email accounts that you might not use anymore. Search for terms that companies use when you register an account or issue a password reset. For instance "password", "password reset", "reset", "confirm your email", "verify your email". If you remember usernames that you used for online services, search for them as well.
- If you save logins and passwords in the browser, you can find the sites for which you did. In Firefox it works as follows.
Click on "Saved Logins" and you'll get an overview of the sites for which you have stored the username and password.
In chrome it works similar. If you have saved passwords you can access them (and the sites for which you saved them) via chrome://settings/passwords. If you use Safari, see this.
- This particular website is really handy. It's created in the first place to help you delete your online accounts, if that's possible at all. But it's also handy to help remember for which site you created an account. Go through the list and whenever you remember a service for which you created an account try to login or do a password reset with the different email addresses you have.
As a side note, like I said in this tweet I will consult this site in the future before creating an account. If the website for which I want to register an account is listed and it's impossible to delete my account I will just not register and look for an alternative.
- Use data breach notification services like Have I Been Pwned and search for all the email addresses you still remember. When an email addresses is found in a data breach the application will show up in the results. In this post you can find more data breach notification services.
Update your user account inventory
When you have done all these steps make sure you write down or store all the accounts you have in your password manager. If you want more guidance about secure storing of usernames and passwords, see also this article.
Remove the accounts you don't use anymore
Once you have an overview of all your accounts you can start with the cleanup. Let's say you have a Facebook account that you want to remove. You can again use the same website. Just search for "Facebook" and you'll get the Facebook tile as a result. I clicked on "show info" and I get a description of how to delete a Facebook account.
When you click on the header of the tile, "Facebook" in this case, you get redirected to the application.
Note that some sites give you the option to download the data they store about you. It might be a good idea to download them first before you delete your account.
If you can't delete the user account via the website, contact the company. In this post you find some more guidance on how to delete accounts for several popular online services.
When deleting accounts (probably) doesn't work
It's possible that you are locked out of an account and you can't access the registration email adress anymore. It could be because that email address no longer exists or because it's hacked and the attacker changed the password. At that moment the only thing you can try is to contact the company and see if you can prove that the account actually belongs to you. Or it could be that the company doesn't exist anymore. In that case you can only hope that your personal data was properly removed.
Conclusion
Go find these old accounts and remove the ones that you don't need anymore. Make sure you have an up to date inventory. And keep it up to date. Consistently add every new account that you register.
That's it for today. More security advice tomorrow, in the meantime stay safe online!