Full Report
Google has announced a new policy on dealing with inactive accounts - and it's an important read for anyone who doesn't regularly login. Read more in my article on the Hot for Security blog.
Analysis Summary
# Main Topic
Google's new policy concerning the deletion of inactive accounts, which poses a risk of data loss (including irreplaceable digital memories and files) for users who fail to log in or interact with their accounts for a period of two years or more.
## Key Points
- Google's policy targets inactive accounts because they are "at least 10x less likely than active accounts to have 2-step-verification set up."
- Unsecured, abandoned accounts present risks such as being used to send spam, commit identity theft, or spread malicious content.
- The earliest deletion date for affected accounts is set for December 2023, starting with accounts that were created but never used.
- Google states it will send multiple warning notifications to the email and recovery email addresses prior to deletion.
- Inactivity is defined by *not* logging in for two years, or by failing to perform specific interactive actions.
## Threat Actors
- **Threat Actor Implication:** Cybercriminals who exploit poorly secured, inactive accounts for spam or malicious activity.
- **Attribution:** Not attributed to a specific named state-sponsored or criminal group, but focuses on the *threat* inactive accounts pose to criminals.
## TTPs
- **Exploitation of Weak Configuration:** Targeting accounts lacking 2-Step Verification (2SV).
- **Account Takeover (Implied):** Utilizing compromised credentials (old or reused passwords) associated with inactive accounts.
- **Malicious Use:** Using compromised accounts for spam distribution or identity theft.
## Affected Systems
- **Platform:** Google Accounts (including associated services like Gmail, Google Drive, YouTube, Google Play Store, and Google Search).
- **Condition:** Accounts that have not been signed into or actively used (reading email, downloading apps, watching videos, etc.) within a two-year period.
## Mitigations
- **Primary Action:** Log into the Google account at least once every two years.
- **Alternative Activity to Prevent Deletion:**
- Reading or sending an email.
- Using Google Drive.
- Watching a YouTube video.
- Downloading an app from the Google Play Store.
- Using Google Search.
- Using "Sign in with Google" for third-party apps.
- **Security Hardening (Recommended Best Practices):**
- Ensure accounts are protected with strong, unique passwords (use of a password manager recommended).
- Set a recovery email address that is actively monitored.
- Enable Two-Step Verification (2SV).
- **Data Preservation:** Users should back up irreplaceable data stored within Google services (e.g., Google Drive).
## Conclusion
The primary threat is accidental data loss due to policy enforcement, compounded by the security risk unsecured accounts pose to the broader ecosystem. Users must audit their old/secondary Google accounts immediately, establish a login or interaction routine (or ensure recovery paths are set), and enable multi-factor authentication to prevent both deletion and potential compromise.