How to prevent 'zombie accounts' from haunting your digital identity

All those online services and accounts you've let languish are like zombies waiting to rise from the grave and bite you

Zombies are a pervasive cultural theme these days. We have no shortage of zombie-apocalypse movies and literature, and the United States military and the Center for Disease Control even offer tongue-in-cheek zombie-response plans. But there are other zombies that don't get the attention they deserve--the zombie accounts you have lingering around the Internet.

Stop and consider how many different websites, social networks, and other online services you've joined over the years. For that matter, think of all of the software, mobile apps, browser plug-ins, and other things you've installed on your PC or mobile devices.

How many of them do you use on a regular basis? And how many of them still link to your Facebook or Twitter profiles? More important, how many of them do you actively manage and update to ensure that they're properly protected?

Here are the dangers to watch for, plus a few tips for dealing with the user accounts that just won't die.

The undead: A major headache for the living

I haven't used in ages; it has probably been at least five years since I've even logged in to the once-dominant social network. But as it turns out, I still have an active account there. I needed a couple tries to recall (or guess, really) my login email and password, but I got in.

Once I logged in, I found information about where I lived and worked, and a few invitations to play online games from early 2009, as well as connections to friends and their personal information. I can all but guarantee that none of those friends has thought about MySpace in years, either.

Many people use only simple, easily remembered passwords across sites and services that don't have access to sensitive data. Secure password practices suggest that you should use unique, complex passwords for all sites, but many people do so only for banks, credit cards, and maybe social networking accounts.

Using the same password on multiple sites is a bad idea, though. Even online platforms that don't have access to financial information or Social Security numbers can still reveal seemingly innocuous details, providing hackers with clues for breaking into your other accounts. My MySpace profile, for instance, contains personal details such as the name of my high school and my zodiac sign--providing hints about things that sites commonly use as authentication questions.

Wolfgang Kandek, CTO of security firm Qualys, learned the hard way that reusing passwords can backfire. Kandek says, "I used to use a common 'beater' password for these types of sites, but it recently came back to haunt me when my password at Stratfor leaked and in the subsequent inventory I found that I had used it for many sites that I have come to consider important."

Kevin Haley, director of Symantec Security Response, warns that zombie accounts could get hacked, and that the data shared with those accounts could be stolen or exposed--but he also notes that the risk isn't necessarily any greater than it is for the sites you actively use.

Keep in mind, however, that more-obscure sites and services don't have the resources of Facebook or Google, and may not be as actively maintained and protected.

Deactivate or delete unused accounts and applications

If you're not going to use a social network, app, or online service any longer, shut down your account. In many cases people simply walk away and stop using a tool or service, but leave it active and do nothing to remove or protect any information it has access to.

Many sites and services don't have a defined data-retention policy, so as far as you know the data you posted to your account could be retained indefinitely. A server breach or compromise years from now could expose information that you forgot you ever even shared.

Paul Henry, security and forensic analyst for security firm Lumension, cautions that deactivating an account and removing sensitive data is easier said than done. "Look at sites like Facebook--you really have to work to remove your data. Even if you delete your information, it will still be around for at least 30 days. And if you then log back in within that 30-day window, they'll keep your information forever, even if you redelete."

Henry also stresses that unused applications and plug-ins are a bigger threat than the possibility of a forgotten website being hacked. Odds are good that you aren't patching and updating software you aren't even using. When attackers find vulnerabilities in those programs, they become an easy back door for compromising your PC.

Part of the problem is that people rarely make a conscious decision to pull the plug on a site or service. You might just stop visiting a site frequently, and eventually forget about it entirely. It takes a little work to stay on top of these things, but you should make the effort to ensure that you don't expose yourself to undue risk or leave sensitive information vulnerable.

Use a password-management utility

It isn't easy to come up with unique passwords, never mind keeping track of all of them. A 2012 survey found that most adults have five or more unique passwords, and that nearly 10 percent report having 20 or more passwords. Major data breaches over the past few years, however, have exposed the fact that many of those passwords are easily guessed strings (like "12345" and "password") that provide essentially no security at all.

Kandek learned his lesson after the Stratfor incident. It prompted him to change his behavior and start using a password manager to generate single-use passwords rather than reusing the same password over and over. "I have been very disciplined, and it has proven quite workable and useful. I use LastPass because they support Linux and Chromebooks well and offer two-factor authentication."

Of course, an online service like LastPass is itself a risk, so it's not exactly a silver bullet. There was some concern in 2011 that LastPass may have been breached, but that turned out to be an overreaction to anomalous network traffic.

Nevertheless, be sure to follow these tips and take steps to deactivate or delete unused services and applications, or your zombie accounts will eventually come back to haunt you.

Join the CSO newsletter!

Error: Please check your email address.

Tags MySpace.comsecuritytwitterFacebook

More about FacebookGoogleLinuxLumensionMySpace.comQualysSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts