According to Google, once your Gmail account is deleted, it will not be possible to recover photos, files, emails, contact information, or purchases such as music, apps, movies, or books that you may have acquired using your Google account.
Google has officially released its inactive account policy according to which it will delete free Google accounts that have not been signed into for two years and do not have any active subscriptions. This policy applies to personal Google Accounts, not those not set up through school, work, or other organizations.
However, this policy doesn’t apply to paid Google Workspace accounts or accounts with an active subscription. For instance, if you have subscribed to Google One, your account will remain active even without regular sign-ins. If you maintain any paid subscriptions within an app via Google Play, this will also be considered an activity.
A Google Account is necessary to access the different Google products, including Gmail, YouTube, and Google Ads, with a single username and password. The updated policies were announced in May 2023 and will be implemented starting 1st December 2023.
So, if it’s been two years since you used your free Google account, Google may delete it. Per the policies, if deleted, it won’t be possible to recover photos, files, emails, contact information, or purchases such as music, apps, movies, or books you may have acquired using your Google account. If you want to keep your Google account active, sign into it at least once every two years and perform any activity.
For your information, Google considers a Google account active that is regularly used. This is indicated by several activities, such as watching a YouTube video, Google search, downloading apps, using Google Drive, or checking Gmail.
The account tracks Google account activity, and not the device, so any actions taken on a device while being signed into a Google Account will be an activity. You must also sign in to Photos at least once every two years to maintain access to Google Photos and any photos uploaded from your free account. To sign in, you can use Google Photos web or mobile version.
It is possible to maintain access to your Google account and its content because Google lets you choose people who can access your account if you cannot do so yourself. Before deleting the account, Google will notify the account owner via emails sent to the Google Account and to the recovery email (if applicable).
If you don’t want or need a Google account, you can allow it to be deleted after a period of inactivity or delete it yourself. However, make sure to export any stored data using Google Takeout.
To delete a Google account, sign in with the account you want to delete, go to the Data & Privacy page, scroll to the bottom, and select Delete Your Google Account. Follow the prompts to authenticate and confirm that you want to delete the account.
Keeper Security’s VP of Security and Compliance, Patrick Tiquet, shared the following comment on this newly implemented policy with Hackread.com.
“Inactive accounts can present significant cybersecurity risks, as these accounts may retain weak or unchanged passwords, creating vulnerabilities for unauthorized access and potential misuse by cybercriminals for phishing attacks or data exposure. When you combine the personal information stored in these accounts and potential interconnections to other services, there is a heightened risk of identity theft and unauthorized access to linked accounts. Additionally, the lack of monitoring for inactive accounts increases the likelihood of users being unaware of suspicious activities, allowing bad actors more time to exploit the compromised accounts.”
Synopsys Software Integrity Group’s associate principal security consultant, Ben Hutchison, also shared his thoughts on this development.
“Continuing to maintain a large number of inactive accounts is a little bit like not replacing those old, cracked windows on your property and in essence the potential attack surface of the system. Inactive accounts provide a means of potential ingress or compromise for attackers to take advantage of, and since they have by definition gone unused for long periods of time, they may be protected by weak locks (passwords) and their owners (users) are unlikely to notice signs of compromise or unauthorized activity.”
“Compromising one account may lead to a cascade if the account compromised enables access to other platform services, the user reuses their password for other accounts or in the specific case of email compromise, providing attackers with the opportunity to abuse account reset workflows for other systems/services in combination with compromised credentials in the hope that the compromised account is linked to one of these, leading to further eventual takeovers,” Hutchison added.