BreachExpress

Cybersecurity, explained for the rest of us.

General

Personal accounts on work devices: cleaning up before you leave

Margot 'Magic' Thorne@magicthorneJune 24, 202611 min read
Laptop screen showing multiple browser windows with personal email, shopping sites, and social media alongside work applications

You've been using your work laptop for two years. You check personal email during lunch. You ordered birthday gifts on Amazon. You logged into your bank once to pay a bill. You browsed job listings when things got rough.

Now you're leaving. The laptop goes back to IT. What happens to all that personal data?

The answer is simple: it stays there unless you remove it. Your employer owns the device. Your replacement might inherit it. IT will reimage it eventually, but "eventually" could be weeks or months. In the meantime, your saved passwords, browsing history, and logged-in accounts sit on a machine you no longer control.

This is the practical guide to cleaning up your personal accounts before you leave a job. We'll walk through what to delete, what to document, and how to protect yourself when the device isn't yours anymore.

Why this matters more than you think

Work devices blur boundaries in ways that feel normal until they're not. You use the laptop eight hours a day. It's faster than your home computer. The screen is bigger. You're already logged in. Checking personal email or shopping online feels harmless.

The problem surfaces when you leave. That device becomes evidence in the wrong context. A contentious departure turns your browsing history into discovery material. A security incident at the company exposes your saved passwords. Your replacement logs into the laptop and finds your Amazon wishlist still open.

I've spent two decades writing for cybersecurity vendors. The number of people who leave jobs without cleaning their devices is staggering. The number who realize the problem only after they've handed in their laptop is worse.

You can't retrieve data from a device you no longer possess. You can't unsave passwords from a machine you can't access. The time to clean up is before your last day, not after.

Step 1: Inventory what's actually there

Before you delete anything, you need to know what you're dealing with. Open your work device and make a list. This isn't paranoia. It's documentation.

Start with browsers. Open Chrome, Firefox, Edge, Safari, or whatever you use. Check saved passwords. Chrome stores them at chrome://settings/passwords. Firefox keeps them at about:logins. Edge uses edge://settings/passwords. Safari hides them in Preferences > Passwords.

Write down every personal account that shows up. Email accounts, shopping sites, banking, social media, streaming services, healthcare portals, anything that isn't work-related. Don't skip this step. You'll forget something if you try to do it from memory.

Next, check active browser sessions. Most sites let you stay logged in indefinitely. Go to your personal email and look at the "Devices & activity" or "Security" section. Google's Security Checkup shows every device with active access to your account. Microsoft's account security page does the same for Outlook and other Microsoft services. Check these from your work device. If you see sessions you don't recognize or sessions showing your work computer's location, you're still logged in.

Check saved files. Open your Downloads folder. Search for personal documents, tax forms, medical records, photos, anything you saved locally. Check Desktop. Check Documents. Don't assume you remember everything you downloaded.

Look at browser history. You don't need to read every entry, but scan for patterns. If you shopped for engagement rings or researched medical conditions or browsed job listings, that history is still there. FTC guidance on online privacy emphasizes that browsing data reveals more about you than most people realize.

Check cloud sync. If you enabled Chrome sync, Firefox sync, or Edge sync with a personal account, your bookmarks, passwords, and history might be syncing to your personal profile. That's good for you, bad for separation. You'll need to disable sync before you leave.

Write it all down. You'll use this list in the next steps.

Step 2: Log out of everything

This is the non-negotiable part. Every personal account you found in Step 1 needs to be logged out before you hand in the device.

Start with email. Open Gmail, Outlook, Yahoo, ProtonMail, whatever you use. Click your profile icon. Select "Sign out" or "Log out." Don't just close the tab. Actively log out. Then clear the saved password from your browser's password manager.

Do the same for every account on your list. Amazon, banking, social media, healthcare portals, streaming services, shopping sites. Log out. Then remove the saved password.

If you're using a password manager like 1Password, Bitwarden, or LastPass on your work device, log out of the password manager itself. Then uninstall the browser extension. Your vault data is encrypted and stored in the cloud, but the local session gives access to everything. Remove it.

For accounts where you enabled "Remember this device" or "Stay logged in," logging out isn't enough. You need to revoke the device's trusted status. Go to your account security settings. Look for "Devices" or "Where you're signed in" or "Active sessions." Find the entry for your work device. Remove it.

Google calls this "Manage devices." Microsoft calls it "Manage your sign-in methods." Apple calls it "Devices" in your Apple ID settings. The wording changes, but the concept is the same. Find the work device. Revoke access.

If you can't remember whether you logged into something, assume you did. Go to the site. Check. Log out if you're there.

Step 3: Clear saved passwords and autofill data

Logging out is half the job. Saved passwords stay in the browser even after you log out. Your replacement could open Chrome, click on a saved password entry, and see your email address and password in plaintext.

Open your browser's password manager again. Delete every personal account password. In Chrome, click the three dots next to each entry and select "Remove." In Firefox, click "Remove" in the password details. In Edge, same process. In Safari, select the entry and press Delete.

Don't skip this. I've seen people hand in laptops with dozens of saved passwords still sitting in the browser. "But I logged out" doesn't protect you if the password is still saved.

Next, clear autofill data. Browsers save addresses, phone numbers, credit card information, and names you've entered into forms. Chrome stores this at chrome://settings/addresses and chrome://settings/payments. Firefox keeps it at about:preferences#privacy. Edge uses edge://settings/profiles. Safari hides it in Preferences > AutoFill.

Delete your home address. Delete your personal phone number. Delete saved credit cards. Delete anything that identifies you personally.

If you've used the browser's built-in payment autofill, remove those cards. The full card number isn't stored (browsers save a token, not the number), but the last four digits and expiration date are. Remove them.

Step 4: Delete personal files

Check your Downloads folder. Delete anything personal. Tax documents, medical records, photos, resumes, cover letters, personal projects. If it's not work-related, delete it.

Check Desktop. Check Documents. Check any folders you created. People store surprising things on work devices without thinking about it. I've seen people leave behind scanned copies of passports, birth certificates, and Social Security cards in Downloads folders.

Empty the Recycle Bin (Windows) or Trash (Mac). Deleted files sit there until you empty it. Don't leave that step undone.

If you saved files to a work-managed cloud account (OneDrive, Google Drive, Dropbox for Business), those files stay with the company. You can't delete them without permission, and you shouldn't. They're work property. But if you uploaded personal files to a work cloud account by mistake, ask IT how to handle it before you leave.

Don't copy work files to a personal account or USB drive without explicit permission. Work product belongs to the company. Transferring it without authorization creates legal problems. If you need to hand off projects, ask your manager about the proper process.

Step 5: Clear browsing data

Browser history is a record of everywhere you've been online. It's not just URLs. It's timestamps, search queries, and a detailed map of your interests and activities.

Clear it. All of it.

In Chrome, go to chrome://settings/clearBrowserData. Select "All time" for the time range. Check "Browsing history," "Cookies and other site data," and "Cached images and files." Click "Clear data."

In Firefox, go to about:preferences#privacy. Scroll to "Cookies and Site Data." Click "Clear Data." Then scroll to "History" and click "Clear History." Select "Everything" for the time range.

In Edge, go to edge://settings/clearBrowserData. Same process as Chrome.

In Safari, go to History > Clear History. Select "all history."

This step removes not just the list of sites you visited, but also cookies, cached files, and site data that track you across sessions. It's the digital equivalent of wiping down your desk before you leave.

If you used multiple browsers (some people use Chrome for work, Firefox for personal), repeat this process in each browser.

Step 6: Disable sync and disconnect accounts

If you enabled browser sync with a personal Google account, Microsoft account, or Apple ID, your work device has been uploading bookmarks, passwords, and history to your personal cloud profile.

That's fine for your personal data. It's a problem for separation. Disable sync before you leave.

In Chrome, go to chrome://settings/syncSetup. Click "Turn off." This stops syncing but doesn't delete data already in your Google account.

In Firefox, go to about:preferences#sync. Click "Disconnect."

In Edge, go to edge://settings/profiles/sync. Click "Turn off sync."

In Safari, go to System Preferences > Apple ID > iCloud. Uncheck Safari if it's enabled.

After you disable sync, check your personal Google, Microsoft, or Apple account from a personal device. Make sure your work device is no longer listed as a synced device. If it is, remove it manually.

Step 7: Check for personal apps and extensions

If you installed personal apps or browser extensions on your work device, remove them.

Check installed applications. On Windows, go to Settings > Apps. On Mac, open Applications. Look for anything personal. Password managers, VPNs, messaging apps, games, utilities. Uninstall them.

Check browser extensions. In Chrome, go to chrome://extensions. In Firefox, go to about:addons. In Edge, go to edge://extensions. Remove any extension tied to a personal account or personal use.

If you installed a personal VPN, uninstall it. If you installed a personal password manager, uninstall it. If you installed browser extensions for shopping, ad blocking, or privacy that aren't work-related, remove them.

Step 8: Sign out of personal accounts on mobile (if applicable)

If your work device is a phone or tablet, the cleanup process is similar but involves more apps.

Go through every app on the device. If you logged into a personal account (email, social media, banking, shopping, messaging), open the app and log out. Then uninstall the app if it's not work-related.

Check Settings > Accounts (Android) or Settings > Passwords & Accounts (iOS). Remove any personal accounts listed there.

If you used the device for two-factor authentication with a personal authenticator app, remove your personal accounts from the app or uninstall the app entirely. Then reconfigure 2FA for those accounts on a personal device.

If you enabled biometric unlock (fingerprint, Face ID) with your personal biometrics, disable it. The device should return to the company with only work-authorized biometrics or PINs.

Step 9: Document what you did

Before you hand in the device, write down what you cleaned up and when. This isn't paranoia. It's a record.

Note the date you logged out of personal accounts. Note which accounts you removed. Note that you cleared browsing data, deleted personal files, and disabled sync.

If something goes wrong later (a security incident, a dispute with your employer, a question about data handling), you'll have a timeline. "I logged out of my personal email and cleared my browsing history on June 20, 2026, three days before my last day" is a factual statement you can defend.

You don't need to share this document with your employer unless asked. It's for your records.

Step 10: Change passwords after you leave

Even if you logged out of everything and cleared all saved passwords, change your passwords anyway. Do this from a personal device after you've handed in the work device.

Start with email. Change your personal email password. Then change passwords for banking, shopping, social media, healthcare, and any other account you accessed from the work device.

Why? Because logging out and deleting saved passwords doesn't guarantee the password wasn't captured somewhere else. Keyloggers, clipboard monitors, and network traffic analysis can all record passwords. You probably weren't targeted by any of those, but changing passwords removes the risk entirely.

Use a password manager on your personal device to generate new, unique passwords. EFF's guide to password managers walks through the setup process if you don't have one yet.

Step 11: Check active sessions from a personal device

After you've handed in the work device, check your account security settings from a personal device. Look for active sessions that shouldn't be there.

Log into your personal email. Go to "Devices & activity" or "Recent activity." If you see a session from your old work location or a device you no longer control, revoke it immediately.

Do the same for banking, social media, and any other account where you can view active sessions. CISA's guidance on multifactor authentication emphasizes the importance of monitoring account access, especially after device changes.

If you find an active session you didn't expect, change the password immediately. Then enable two-factor authentication if you haven't already.

What not to do

Don't delete work files. They belong to the company. Deleting them without permission creates problems.

Don't factory reset the device unless IT explicitly tells you to. Some companies want devices returned as-is for auditing. Others want them wiped. Ask.

Don't copy work files to personal accounts or USB drives without permission. This is a legal and ethical boundary. If you need to transfer knowledge, ask your manager about proper handoff procedures.

Don't assume "I logged out" is enough. Saved passwords, browsing history, and cached data persist after logout. Clean them manually.

Don't wait until your last day. IT might collect the device early. You might forget in the rush of final meetings and handoffs. Do this cleanup a few days before you leave.

The Office Space problem

In the 1999 film Office Space, Peter Gibbons stops caring about his job and starts doing the bare minimum. He shows up late, ignores his boss, and takes long lunches. The joke is that his apathy makes him happier than his overworked colleagues.

The film doesn't show what happens to Peter's work computer after he leaves. But the principle applies here: the things you ignore because they seem small accumulate into real problems.

You logged into personal email once to handle an emergency. You saved your home address in autofill to speed up a one-time purchase. You checked your bank balance during lunch. Each action felt harmless in the moment. Together, they create a detailed record of your personal life on a device you no longer control.

The cleanup process in this guide isn't about paranoia. It's about taking the small actions that prevent larger problems. You log out. You delete. You clear. You document. You move on.

Most people won't face consequences for leaving personal data on a work device. But "most people" isn't a plan. The cleanup takes an hour. The risk of not doing it lasts as long as that device stays in circulation.

What happens if you forget something

You handed in the laptop. Two weeks later, you realize you forgot to log out of your personal Amazon account. What now?

Change the password immediately. Log into Amazon from a personal device. Go to Account > Login & security > Edit next to Password. Change it. Then check "Devices" under "Secure Your Account" and remove any sessions showing your old work location.

Do the same for any other account you realize you left logged in. The password change invalidates the old session. The session revocation removes the device from the trusted list.

If you forgot to delete personal files, there's less you can do. You can't access the device remotely. You can't delete files you no longer control. If the files contain sensitive information (tax documents, medical records, scanned IDs), contact your former employer's IT department and explain the situation. They might be willing to delete the files before the device is reassigned or reimaged.

If you're worried about data exposure, consider whether the files create real risk. A forgotten shopping list isn't a problem. A scanned copy of your passport is. Assess the sensitivity and act accordingly.

The long-term habit

If you're reading this guide before you leave a job, you're ahead of the curve. Most people think about this problem only after they've handed in the device.

The better approach is to never mix personal and work accounts on a work device in the first place. Use your personal phone for personal email. Use your personal laptop for personal shopping. Use your work device only for work.

I know that's not always practical. Work devices are faster, bigger, and already in front of you. But the boundary matters. The more you keep personal and work separate, the less cleanup you'll need when you leave.

If you must use a work device for personal tasks, do it in a private browsing window (Incognito in Chrome, Private in Firefox and Safari, InPrivate in Edge). Private windows don't save browsing history, cookies, or passwords. They're not perfect (your employer can still see network traffic), but they reduce the cleanup burden significantly.

Set a reminder to clear browsing data weekly. Set another reminder to check saved passwords monthly. Make cleanup a habit, not a crisis task.

Empty desk with closed laptop, personal items packed in box, symbolizing clean departure from workplace
→ Filed under
work securitydata privacyaccount managementemployment transitiondevice cleanupprofessional boundaries
ShareXLinkedInFacebook

Frequently asked questions

Yes. Your employer owns the device and can monitor everything on it, including browsing history, saved passwords, and logged-in accounts. Assume full visibility.
The device stays with the company. Your personal data, saved passwords, browsing history, and logged-in accounts remain accessible to IT and potentially your replacement unless you remove them.
Absolutely. Log out of all personal accounts, clear saved passwords, remove personal files, and clear browsing data. Do this before you hand in the device.
Change the password immediately from a personal device. Check active sessions in account security settings and revoke access to any sessions still showing the work device.
No. Work files belong to the company. Transferring them without permission creates legal and ethical problems. Ask your manager about proper handoff procedures instead.

You might also like

Two phones displaying a conversation with typing indicators, read receipts, and an image preview, illustrating RCS features compared to plain SMS text
General

RCS Messaging: What It Is and Why It Matters

RCS is the protocol replacing SMS with encryption, read receipts, and rich media. Here's how the underlying mechanism works and what actually changes.

11 min · Margot 'Magic' Thorne · May 17

A clean home office desk with laptop, router, and security checklist visible on screen
General

How to Secure Your Home Office for Remote Work: A Step-by-Step Setup Guide

Lock down your home network, devices, and accounts with this practical remote work security setup. Here's what to configure, what to skip, and why each step matters.

5 min · Margot 'Magic' Thorne · May 6

iPhone and Android phone side by side with security shield icons
General

iPhone vs Android: which platform actually protects you better

iPhones and Android phones secure your data differently. Here's how each platform handles updates, app permissions, encryption, and malware—and which matters more.

11 min · Margot 'Magic' Thorne · May 8