Category : security

An important update about old Google accounts

Hello Ichabods! As we get ready to start a new semester, we in cybersecurity would like to help you be as prepared as possible and want to let you know about an important update from Google concerning old google accounts. According to the new policy, any account considered inactive by Google for two or more years will be pending deletion by December 2023, to include not only your email, but pictures and anything within the Google Workspace, such as OneDrive content. Unfortunately, old accounts are security concerns: their credentials are often compromised, unmonitored, and less likely to be enrolled in Multifactor Authentication. Before the account is deleted, Google has stated that they will send out several notices to both the account and the recovery address (if one was provided), and that presents a prime opportunity for malicious actors to send you fraudulent notifications claiming to be from Google when they are looking to capture your accounts and your information. So, if you’re like many people and have a separate Google account to sign up to spammy things with and as a recovery backup, or have any other old Google account, let’s review some ways we can both keep our data, and keep it secure.

What is an ‘inactive’ account, and how can I keep my account active?

According to the Google Safety & Security blog, an inactive account is any account that has not had any login activity for a period of 2 years, and has not had any activity associated with the account within that time frame. If you want to make sure that your account is not flagged as being inactive, make sure you log in at least every 2 years or perform the following activity on that account:

  • Read or send an email
  • Use Google Drive
  • Watch a YouTube video
  • Download an app on the Google Play Store
  • Use Google search
  • Use Sign in with Google to sign into a third-party app or service

Additionally, if you have an existing subscription such as Google One or another app, Google will consider this account activity. Finally, any account with YouTube videos on it are not being considered for deletion currently.

How can I keep my account secure from phishing attacks?

As briefly stated before, opportunistic criminals will see this new policy as an excellent way to try to steal your accounts and information. Knowing that Google will be sending out warnings about pending account deletion, there is no doubt that they are right now working up new phishing attacks to target you. Let’s review some common measures you can take to stay safe.

  • Urgent calls to action or threats - This is a classic tactic that cybercriminals will use in their attempts to trick you, and so it will not be at all surprising to see in the coming months an increasing number of emails purportedly from Google making dire warnings that your account or information is about to be deleted and you must act now! Most frequently they will provide some convenient link to click on and to sign in, and that is how they want to trick you into giving them your credentials. Always be suspicious of emails demanding immediate action, and go to your account directly to verify any action needed
  • Generic Greetings - One thing that a potential malicious actor will likely not know is if you even have old accounts, or if you do, they likely will not know what that account name is. Be extra cautious when an email claims to be from an entity you’re familiar with, but does not know basic information about you, such as the name of the account that is supposedly pending deletion.
  • Mismatched email domain - Be aware of the email domain of the sender of any email claiming to be from Google or any other service that you use. For example, if you receive an email claiming to be from Google, but it says at the end of the sender’s address, you know for sure that the message is fraudulent. If you need to verify the account, never click on any links on the email, instead go straight to the Google page and log into your account yourself.
  • Spelling and grammar mistakes – Emails from professional organizations are often scrutinized before being published, so a high number of spelling and grammar mistakes are often a sign of being an awkward translation, or an intentional effort to evade spam filters.
  • Suspicious Links and attachments- never open links or attachments from any email that you have suspicions about, or do not know where they are coming from.

Again, it cannot be overstated that if there is a concern about your account, be it your Google or Bank account, never trust an unverified email link, and go directly to your account yourself.

How can I back up my data if I no longer want the account?

According to the Google Safety and Security Blog, there are some tools and steps you can take to protect your information, or to handle your old accounts.

  • Make sure you have an up-to-date recovery email address in your account settings
  • Download and export your data to other platforms through the Google Takeout feature
  • Utilize Inactive Account Manager, which allows you to decide what happens to your account and data when it becomes inactive for a period of up to 18 months, which may include:
    • Sending specific files to trusted contacts of your choosing
    • Applying a Gmail autoresponder
    • Deleting your account entirely

As always, thank you for your continued vigilance!

--AU Information Security


2023 2022

Available Blogs