BreachExpress

Cybersecurity, explained for the rest of us.

General

How to Close Old Online Accounts: A Step-by-Step Deletion Guide

Margot 'Magic' Thorne@magicthorneMay 23, 202611 min read
A laptop screen showing multiple browser tabs with login pages, some marked with red X symbols, representing the process of systematically closing unused online accounts

You created accounts over the years. Some you used once. Some you forgot about. Some you actively avoid but never closed. They're still out there, holding your email address, password, maybe your phone number or billing information. When those sites get breached, and they will, your data enters the same criminal markets that fuel credential stuffing attacks and identity theft.

Closing unused accounts reduces your exposure. It's not glamorous. It's not fast. But it's one of the most effective things you can do to shrink your attack surface. This guide walks through the process step by step: finding old accounts, deciding what to delete, and actually getting them closed when companies make it deliberately difficult.

Why dormant accounts matter

An account you haven't touched in five years still exists in a database somewhere. It still contains whatever information you gave when you signed up. When that database gets breached, your data gets stolen alongside everyone else's. The FTC tracks data breaches and publishes guidance for consumers, but the underlying problem is structural: companies retain data indefinitely, and attackers target the easiest marks first.

Old accounts are easy marks. They often use weak passwords from an era before you knew better. They're tied to email addresses you might not monitor anymore. They lack two-factor authentication because the site didn't offer it when you signed up. When breached, they provide attackers with a foothold: an email address, a password you might have reused elsewhere, maybe a security question answer that's still accurate.

The identity theft recovery process becomes exponentially harder when you have dozens of accounts to secure. You can't change passwords on accounts you've forgotten exist. You can't monitor for suspicious activity on services you don't remember joining. Closing accounts you don't use removes them from the equation entirely.

Finding accounts you forgot about

Start with your email. Search for terms like "welcome," "verify your email," "confirm your account," "thank you for signing up," and "subscription confirmation." Go back as far as your email history allows. Make a list. Don't try to evaluate yet, just document what exists.

Your password manager is the second source. If you've been using one for years, it contains a record of every site you've logged into. Export the list if your manager supports it, or scroll through manually. Again, just document. Judgment comes later.

Check your browser's saved passwords. Chrome, Firefox, Safari, and Edge all maintain their own password stores. Even if you've migrated to a dedicated password manager, your browser might still hold credentials from before you made the switch. Those accounts still exist.

Look through old credit card and bank statements for recurring charges. Subscription services you forgot about are accounts you probably want to close. Even if the subscription is canceled, the account often remains active with your payment information on file.

Check your phone for apps you haven't opened in months. Mobile apps usually require accounts. If you haven't used the app since 2023, you probably don't need the account backing it.

Finally, think about life transitions. Did you change jobs? Move cities? Graduate from school? Each transition likely involved creating accounts for specific purposes that no longer apply. Alumni portals, old employer intranets, local service providers you no longer use, all candidates for closure.

Deciding what to delete

Not every unused account needs immediate deletion. Some are worth keeping even if you rarely log in. Here's how to sort them.

Delete immediately: Accounts tied to services you will never use again. That forum you posted on once in 2019. The recipe site you tried for a week. The streaming service you canceled two years ago. The online retailer you ordered from once and will never use again because their shipping was terrible. These have no upside. Close them.

Delete after extracting data: Accounts that contain information you might want later. Old photo-sharing sites. Fitness trackers you've replaced. Social networks you've moved away from but which hold years of posts. Download your data first using the platform's export tool, then delete the account. Most major platforms are required by law to provide data export options, though the quality varies.

Keep but secure: Accounts you use infrequently but need to maintain. Government services. Medical portals. Financial institutions. Alumni associations that provide ongoing benefits. These stay open, but you should audit their security settings, enable two-factor authentication, and ensure the password is strong and unique.

Consolidate: Multiple accounts serving the same purpose. If you have three email addresses, two cloud storage services, and four social media profiles for the same platform, consider consolidating down to one of each. Fewer accounts means less maintenance and less exposure.

The decision framework is simple: if you can't articulate a specific reason to keep the account, delete it. "I might need it someday" is not a specific reason. "I use it to access my medical records twice a year" is.

The actual deletion process

Finding the delete option is often the hardest part. Companies bury account deletion in settings menus, help documentation, or behind customer service contact forms. They use language like "deactivate" or "close account" instead of "delete." They require you to cancel subscriptions first, wait for billing cycles to end, or confirm deletion via email.

Here's the general pattern, though specifics vary by site:

Log in. Navigate to account settings. Look for sections labeled "Privacy," "Security," "Account," or "Profile." Scan for options like "Delete account," "Close account," "Deactivate," or "Remove my data." If you don't see it, check the help documentation. Search for "delete account" or "close account" on the site's support pages. Many companies provide direct links in help articles that aren't accessible through the settings interface.

If the help docs don't provide a link, contact customer support. Use live chat if available, it's faster than email. State clearly: "I want to permanently delete my account and all associated data." Don't let them talk you into deactivation unless that's genuinely what you want. Deactivation hides your profile but keeps your data on their servers. Deletion removes it, though the timeline varies by company.

Before you delete, handle these steps:

Cancel any active subscriptions. Most platforms won't let you delete an account with an active paid subscription. Cancel first, wait for the billing period to end, then delete.

Download your data if you want to keep it. Look for "Download your data," "Export data," or "Request your information" in settings. This process can take hours or days depending on how much data you have. Wait for the download link to arrive via email before proceeding with deletion.

Revoke third-party app permissions. If you've used the account to log into other services ("Sign in with Google," "Continue with Facebook," and similar), those connections need to be severed. Go to your connected apps settings and revoke access for any service you're no longer using.

Remove payment methods. Delete saved credit cards, bank accounts, and billing addresses. Some sites won't let you delete the account until payment information is removed.

Once you've completed those steps, proceed with deletion. The site will usually ask you to confirm, sometimes multiple times. It might ask you to re-enter your password. It might send a confirmation email requiring you to click a link. Follow through on all of these steps. If you don't confirm via email within the specified timeframe, usually 24 to 72 hours, the deletion request expires and you have to start over.

After confirming, you'll typically receive a final email stating that your account has been deleted or is scheduled for deletion. Save that email. It's your proof that you requested deletion, which matters if the company later claims they have no record of your request.

When deletion isn't possible

Some sites don't offer account deletion. They're rare now, consumer protection regulations in many jurisdictions require it, but they still exist, particularly among older platforms and smaller services.

If you genuinely cannot delete an account, do this:

Change the email address to a disposable one. Use a temporary email service or create a new throwaway address specifically for abandoned accounts. Update the account email, confirm the change, then abandon the disposable address. This breaks the connection between the account and your real email.

Change the password to something random and don't save it. Generate a long random string using your password manager, update the account password, then close the password manager without saving the new credential. You've effectively locked yourself out, and the account no longer holds a password you use elsewhere.

Remove all personal information you can edit. Change your name to "User," your location to "None," your birthdate to January 1, 1900 or whatever the system allows. Strip out phone numbers, addresses, profile photos, and any other identifying information the interface lets you modify.

Revoke all app permissions and connected services. Even if you can't delete the account itself, you can usually disconnect it from other platforms.

Disable all email notifications. Unsubscribe from everything the account sends you. You want no ongoing connection between this account and your inbox.

This isn't as good as deletion, but it reduces the value of the account to an attacker. A stripped account with a dead email address and a random password you don't know is significantly less useful than an active account with your real information.

The social media problem

Social media platforms are particularly resistant to deletion. They use dark patterns, design choices that make the desired action difficult, to keep you on the platform. They offer "deactivation" as the prominent option and hide "deletion" in help documentation. They impose waiting periods. They show you photos of friends and remind you what you'll lose. They make you click through multiple confirmation screens.

Do it anyway.

For Facebook: Settings → Your Facebook Information → Deactivation and Deletion → Permanently Delete Account. The process takes 30 days. If you log in during that period, deletion cancels and you have to start over.

For Instagram: Settings → Account Center → Personal details → Account ownership and control → Deactivation or deletion → Delete account. Same 30-day waiting period as Facebook, since Meta owns both platforms.

For Twitter/X: Settings → Your Account → Deactivate your account. 30-day waiting period. Logging in cancels deletion.

For LinkedIn: Settings & Privacy → Account preferences → Account management → Closing your LinkedIn account. This one is faster, usually completes within 24 hours, though they claim it can take up to 20 days.

For TikTok: Settings → Manage account → Delete account. 30-day waiting period.

The waiting periods are deliberate. They're betting you'll change your mind, get curious, or accidentally log in through a connected app. If you're serious about deletion, mark your calendar for 31 days out and verify the account is actually gone. Log out of all devices immediately after requesting deletion. Remove the apps from your phone. Don't give yourself an easy path back in.

The cultural reference that fits

In Sherlock (the BBC series with Benedict Cumberbatch), Sherlock Holmes maintains a "mind palace", a mental filing system where he stores only information he considers useful. When Watson tells him that the Earth revolves around the sun, Sherlock dismisses it as irrelevant to his work and says he'll delete it from his mind palace to make room for things that matter.

Your online accounts work the same way, except you can't selectively forget the ones that don't serve you anymore. They persist until you actively remove them. The mind palace is a useful analogy here: keeping every account you've ever created is like storing every piece of information you've ever encountered, relevant or not. Eventually the clutter makes it harder to find what actually matters. You're not deleting accounts because you're paranoid or because you have something to hide. You're deleting them because maintaining dozens of dormant accounts serves no purpose and creates real risk.

The difference is that Holmes could delete information through sheer will. You have to click through confirmation dialogs and wait out deletion periods. But the principle holds: keep what serves you, discard what doesn't, and don't let accumulation happen by default.

What happens to your data after deletion

The deletion confirmation email usually says something like "Your account has been permanently deleted" or "Your data will be removed within 30 days." What actually happens varies by company and is often deliberately vague.

Some companies delete immediately. The account disappears from their active database within hours. Others mark it for deletion and remove it during their next scheduled purge cycle, which might be weeks or months away. Still others retain "anonymized" data indefinitely, where "anonymized" means they've removed your name and email but kept everything else.

Backups complicate this further. Even if a company deletes your data from their active systems, backups might retain it for months or years depending on their retention policies. Some companies explicitly state in their privacy policies that backups are exempt from deletion requests. Others don't mention backups at all.

You can't control what happens in their backend systems. You can only control whether you maintain an active account they're obligated to secure. Deletion removes that obligation. Even if they retain some data in backups, a deleted account is no longer a live target for attackers. It won't appear in future breaches of their active systems. It won't be accessible through credential stuffing. It won't send you password reset emails that could be intercepted.

Maintaining the habit

Closing old accounts is not a one-time project. It's an ongoing practice. You'll create new accounts as you need them. Some of those accounts will outlive their usefulness. The goal is to prevent accumulation, not to achieve a permanent state of zero unused accounts.

Set a calendar reminder for every six months. When it triggers, spend an hour reviewing your accounts. Check your password manager. Scan your email for services you haven't used since the last review. Look at your phone's app list. Ask yourself: do I still need this? If the answer is no, delete it.

The process gets faster with practice. The first cleanup takes hours because you're dealing with years of accumulation. Subsequent reviews take thirty minutes because you're only evaluating six months of new accounts.

Some people maintain a spreadsheet tracking all their accounts, when they were created, when they were last used, and whether they're worth keeping. I don't do this, it feels like more work than it's worth, but if you like that level of organization, it's an option.

The key is making deletion the default for accounts you're not actively using. Don't keep an account "just in case." Don't keep it because closing it feels like effort. Don't keep it because you might want to check something in five years. If you can't articulate a specific, current reason to maintain the account, close it. You can always create a new account later if circumstances change. Creating a new account is easier than recovering from identity theft that traces back to a breach of a service you forgot you'd ever used.

The accounts you can't close

Some accounts are effectively permanent. Government services, for example. You can't delete your IRS account, your Social Security account, or your state's unemployment portal. Medical providers often won't delete patient records even if you request it, they're required by law to retain them for specific periods.

For these accounts, focus on security rather than deletion. Enable two-factor authentication if available. Use a strong, unique password. Set up breach monitoring for the associated email address. Review the account's security settings annually.

Financial accounts fall into this category too, though with more nuance. You can close bank accounts and credit cards, but doing so affects your credit history and might create complications if you have automatic payments tied to those accounts. Before closing financial accounts, ensure you've migrated all recurring payments, updated any services that have your card on file, and understand the impact on your credit score. For active financial accounts you're keeping, the same advice applies: strong security, regular monitoring, and annual reviews.

After the cleanup

Once you've closed your unused accounts, you'll notice the absence. Fewer password reset emails. Fewer breach notifications. Fewer services asking you to update your preferences or review their new privacy policy. Your inbox gets quieter. Your password manager gets shorter. The cognitive load of maintaining dozens of accounts you don't use drops to zero.

This isn't about achieving some perfect minimal state. It's about reducing unnecessary exposure. Every closed account is one less database that can leak your information. One less company that has to secure your data. One less credential that could be reused in an attack. One less thing to worry about when the next major breach hits the news.

The work isn't glamorous. No one will congratulate you for closing your old Tumblr account or finally deleting that meal-planning app you used for two weeks in 2022. But it's effective. It reduces risk in a measurable, concrete way. And unlike a lot of security advice, the results are permanent. Once an account is deleted, it's gone. You don't have to maintain it, monitor it, or remember it exists. That's worth the afternoon it takes to work through the list.

A clean desktop workspace with a single browser window showing a confirmation message that an account has been successfully deleted
→ Filed under
online accountsdigital privacydata securityaccount managementidentity theft preventiondigital hygiene
ShareXLinkedInFacebook

Frequently asked questions

Dormant accounts still hold your data. When breached, that data enters criminal markets and can fuel identity theft years later. Fewer accounts means less exposure.
Check your email for registration confirmations, password resets, and billing receipts. Search for terms like 'welcome,' 'verify,' 'confirm,' and 'subscription.' Your password manager also lists saved logins.
Some sites make deletion deliberately difficult. If you can't find a delete option, strip the account of personal data, change the email to a disposable address, and revoke any connected app permissions.
Deactivation hides your profile but keeps your data on the company's servers. Deletion removes it permanently, though the process can take weeks and some platforms make it intentionally hard to find.
It depends on the company. Some delete immediately; others retain data for weeks or months. Read the deletion confirmation email for specifics, and assume backups may persist longer than the company admits.

You might also like

Diagram showing data flow from user prompt through ChatGPT servers to model training pipeline
General

ChatGPT and your data: what's actually stored, what's used, and what you control

ChatGPT stores your prompts, generates responses, and uses conversations to train models. Here's the mechanism, what OpenAI keeps, and how to limit it.

12 min · Margot 'Magic' Thorne · May 21

Smartphone screen displaying MDM configuration profile with company policies and device management settings
General

MDM (mobile device management) explained: what your employer can see and control on your phone

MDM software gives employers access to work apps, data, and device settings—but the extent depends on ownership. Here's what's visible, what's controlled, and what stays private.

11 min · Margot 'Magic' Thorne · May 21

Laptop on airplane tray table with passport and boarding pass, overhead compartment visible
General

Travel Laptops: What to Take, What to Leave at Home

Should you bring your work laptop traveling? Here's the step-by-step decision framework, what to configure before you leave, and what to do at borders.

11 min · Margot 'Magic' Thorne · May 20