A friend of mine found out his email had been compromised not through his main Gmail, not through his bank, but through a gaming forum he'd signed up for in 2011 and completely forgotten about. The attackers used his recycled password from that dead account to get into his email. From there, they reset his PayPal password and drained it. The whole chain started with a website he hadn't visited in over a decade.
This is not a freak occurrence. It's the default outcome when you leave digital debris scattered across the internet.
The Problem Isn't the Accounts You Remember
Most people think about security in terms of their active accounts. But the real exposure lives in the graveyard — the food delivery app you used once, the news site you registered for to read one article, the startup that pivoted three times and probably sold its user database to cover costs.
According to Have I Been Pwned, over 14 billion accounts have been exposed in data breaches catalogued by their service alone. A meaningful portion of those are dormant accounts nobody is actively monitoring.
When those sites get breached — and they will — your email and password get bundled into a list and sold. If you reused that password anywhere, someone will try it.
Start by Finding What's Out There
Before you can delete anything, you need to know what exists. Open your email client and search for terms like "welcome to," "confirm your email," "verify your account," and "thank you for registering." You'll find accounts you haven't thought about in years.
Do this for every email address you've ever used. The old Hotmail address from high school counts. So does the one you made for a job that didn't work out.
A password manager with breach alerts — 1Password, Bitwarden, or even Apple's built-in Keychain — will flag if your credentials appear in known breaches. Run that audit now, not after something goes wrong.
The Counterintuitive Part Most Articles Skip
Here's what nobody tells you: deleting an account is often more dangerous than keeping it if you do it wrong.
When you request account deletion through a company's process, most platforms require you to log in first. That means you need to reset a forgotten password, which sends a link to your email. Fine. But some platforms — especially older ones — don't actually delete your data. They "deactivate" you. Your email, your password hash, your personal info are still sitting in their database.
The smarter move before deletion: change the email address on the account to a throwaway (something like a temp-mail address), change the password to a random 30-character string, and then request deletion. That way, even if the "deletion" is fake, the data on file is garbage.
The Actual Process, Step by Step
For accounts you want to close, JustDeleteMe is a directory that rates how difficult each service makes it to delete your account and links you directly to the deletion page. It removes the guesswork.
Work through accounts in priority order:
- High-risk first: Any account that has your credit card, bank info, home address, or government ID. These are the ones that cause real financial damage if compromised.
- Email-linked accounts second: Anything that can trigger a password reset to an email you still use.
- Everything else: Forums, old social media, loyalty programs, streaming trials.
For accounts you want to keep but rarely use, enable two-factor authentication (2FA) and generate a unique password. A hardware key like a YubiKey is the strongest option for sensitive accounts. An authenticator app like Authy or Google Authenticator is a solid second choice. SMS-based 2FA is better than nothing but is the weakest of the three — SIM swapping attacks have made it unreliable.
What to Do About Breached Credentials Right Now
If your email shows up in a breach, don't just change the password on the breached site. Assume that password is permanently compromised and do a full audit of everywhere you used it.
According to the Identity Theft Resource Center's 2023 Annual Data Breach Report, data breach notices are being sent later and to fewer victims than in previous years, meaning you often can't rely on companies to tell you when your data has been exposed. The assumption should be that any account older than a few years, at a site that isn't a major platform, has probably already been caught in something.
Use a breach-checking tool, change passwords proactively, and stop treating old accounts as harmless.
One Honest Caveat
This process is tedious. Actually tedious. You will hit dead sites that no longer have functioning deletion flows, companies that send you in circles, and services that technically "comply" with your request while retaining your data in backups for years. The GDPR gives European users the right to erasure, but enforcement is inconsistent, and most Americans have no equivalent legal lever. You can reduce your exposure significantly — but you cannot scrub yourself from every database that already has your information. The goal is damage containment, not perfection.
Sources:
- Have I Been Pwned
- JustDeleteMe
- Identity Theft Resource Center 2023 Annual Data Breach Report