Gmail and Google Photos content at risk for inactive users
Update, Nov. 13, 2024: This story, originally published Nov. 11 now includes details of how to securely manage multiple Gmail accounts on a single device along with further explanations of how Google secures your Gmail email.
I like to keep an eye on the various Google support forums, including the Gmail subreddit. So, when I saw someone asking whether Google deletes inactive Gmail accounts, I was kind of surprised, given that it’s almost exactly a year ago that I started warning users of this very danger. You likely won’t have nine different Gmail accounts, each used for a different purpose, as the person asking for help, but here’s what you need to know if you have any Gmail accounts that have not been used in a while.
The New Google Policy On Gmail And Photo Account Deletions Explained
As regular readers of the cybersecurity section of Forbes.com will be aware, a Google policy change put the Gmail and Photos content of some users at risk. In a change to the inactive account policy, Google announced that from Dec. 1, 2024, certain accounts would be deleted and content such as Gmail messages, Google Photo libraries and Google Docs archives would be deleted with them.
Google actually started emailing holders of accounts likely to be affected first by the inactive accounts policy change some 18 months ago now, with those being accounts that were opened but never actually used since. More recent emails have since been sent that confirmed other Gmail and Photos accounts will be closed in due course.
The new inactive account policy from Google defines inactivity as being an account that has not been used for two years. Moreover, the policy now states, “Google reserves the right to delete an inactive Google Account and its activity and data if you are inactive across Google for at least two years.” It’s critical to point out that this only applies to personal Google accounts, so business and educational accounts are not affected. When it comes to the data our content within an account that can be deleted, Google says that this is “determined based on each product’s inactivity policies.”
These product policy definitions are categorized by Google as account activity if it meets any of the following requirements:
- Reading or sending an email
- Using Google Drive
- Watching a YouTube video
- Sharing a photo
- Downloading an app
- Using Google Search
- Using Sign in with Google to sign in to a third-party app or service
The Security Reasoning Behind The Gmail And Photo Content Purge
With some 2.5 billion active users, according to Google itself, it is no wonder that Gmail is a primary target for many cybercriminals looking to gain initial access to other networks and accounts. Now, you might think that a Google account that has remained inactive for two years is hardly likely to be a worthwhile target for a sophisticated phishing campaign, but that doesn’t make them a waste of time for an attacker to target. Ruth Kricheli, a vice president of product management at Google, said when announcing the new inactive account policy update, “If an account hasn’t been used for an extended period of time, it is more likely to be compromised.” This is very accurate as it also means the account is way less likely to have had any recent security checks by the owner, let alone be using two-factor authentication or a secure password. “Our internal analysis shows abandoned accounts are at least 10x less likely than active accounts to have 2-step verification set up,” Kricheli said. Yet that account still has value to an attacker as it can be used as a launchpad for further attacks, and that is without considering that the information stored within it could still be a treasure trove of hacker-friendly data.
Next Steps To Protect Gmail And Photo Content From Deletion
In addition to referring to the previously listed account activities, Google users looking to protect their accounts need to follow only one simple rule: log in at least once every couple of years. I’d recommend making that every three months and taking a Google account security checkup while signed in to ensure you are keeping on top of your account security configurations. See later in this article for more information regarding on how and why a Google security checkup can help protect your Gmail data.
If you can’t recall the login credentials for your inactive Google account, then maybe it’s a timely reminder to use a password manager app. That won’t help you immediately, though, but all is not lost. Start the Google account recovery process which requires the entry of a telephone number or recovery email address. Most of the time entering a known telephone number or email address, regardless if you’ve forgotten the details off your account, will prove successful. Google will send a text message or email to those recovery contacts and provide the details of the accounts associated with them. Once you have this level of detail, try to sign into the account and follow the route for forgotten passwords to set off the password recovery verification process.
Just remember that Google account activity, be it Gmail or Google Photos that you are interested in, is determined by account rather than device. So be sure to take action now to prevent your accounts from being tagged as inactive and risk losing important, if overlooked, Gmail and Google Photos data.
Manage Multiple Gmail Accounts On One Device The Secure And Easy Way With Google Account Switching
I heartily recommend having more than one Gmail account, mostly so that there is a safety cushion should your primary email account be compromised and you are locked out of it and the content within. To ensure you have a copy of all your important emails, you can set up a forwarding rule so that all incoming email to that primary account is also sent to the secondary one. If you want to be uber-organized you could have different and dedicated Gmail accounts for images, documents, family correspondence and so on. The only thing limiting forwarding rules is your imagination.
To create a new Gmail account:
- Sign out of your Google Account.
- Go to the Google Account sign-in page.
- Click on create account.
To ensure that your new Gmail accounts are as secure as possible, use a passkey where possible and preferably one tied to a different device than the primary account. You could also use two-factor authentication employing a standalone 2FA code-generating app rather than via SMS to the same telephone number as previously., as this will be a less risky option.
To manage multiple Gmail accounts from a single device you just need to follow these simple steps:
- Click on your avatar in the top right of any Google service you are signed into.
- Select the add account option.
- Select an existing account you wish to add and sign-in.
- Complete any two-factor authentication requirement and add a passkey for quicker and more secure access.
- Go back to your avatar and you will have more than one account to select from and can now switch on demand.
Now that you have multiple Gmail accounts up and running and linked to each by your forwarding rules. Comes the time-consuming but absolutely necessary bit: run Google’s account security checkup for each one in. I know that this might seem like a pointless task for brand-new accounts, but I’d argue this is the best time to ensure you are not getting into any bad security hygiene habits from the get-go.
Complete Google’s Security Checkup For Each Active Gmail Account
Google’s security checkup feature is free to use and a vital weapon in your Gmail account security armory.
Head to the link above, and you will find that Google has already filled in the details before you even get there. What this entails is an analysis of your security settings as they apply to your account t along with recommended actions to bolster your security posture if needed. Although you will find the recommendations listed in order of criticality, I’d recommend taking the extra few minutes it takes to go through them all anyway, to be on the safe, and secure, side.
Expect to find measures such as turning on safe browsing in the Chrome web browser, checking those Gmail forwarding rules that you will have made already, as well as options to see which email addresses are on your blocked list. An unfamiliar forwarding rule could have been established by someone who accessed your account without your knowledge, and an address added to your blocked list could be to prevent warning emails from arriving there. So, it is worth checking both of these.
Be Aware Of The Increasingly Sophisticated AI-Powered Gmail Phishing Threat
I recounted the very concerning tale of how one cybersecurity consultant very nearly fell victim to a sophisticated phishing attack targeting his Gmail account, back in October. That story went viral, and for a good reason: phishing attacks are the primary route into your Google account, and therefore your Gmail inbox, for most all threat actors. Knowing what to look out for, and how to respond, is critical in keeping both safe from hackers, fraudsters and even state-sponsored threat actors.
I would recommend reading that article and the advice provided, but if time is short let me recap here. The person who almost got fooled here was a savvy cybersecurity consultant so not what you might imagine as your typical phishing victim. That is lesson number one: anyone can get taken in by the most sophisticated of phishing scams, it only takes one moment when your guard is down. Remember that and question everything, all the time. The AI-driven attack used a combination of an email that appeared to come from Google support, in another similar case the attackers abused the free Google Forms tool, that comes as part of Google Workspace, to create a legitimate-looking document, and a telephone call. The email and associated documents take the format of a notification to approve a password reset on the Google account. Follow this and you will be phished, your account credentials will be copied, and your two-factor authentication protections likely be bypassed by session cookie-stealing malware. Ignore the email, which is the right thing to do, remember you are questioning everything, and you will get a telephone call seven days later, appearing to be from a genuine Google number.
Questioning everything includes, as the hero of our story did, Googling the telephone number he was being called on. This showed the call lead to Google business pages, but it wasn’t actually a real support number and the Google pages had to do with getting calls from Google Assistant. The consultant cottoned on to the scam when he asked for an email confirmation and what he received aroused suspicion. Suspicion that was confirmed after going quiet and noticing the caller responses didn’t sound altogether human.
So, the lessons learned here are that you should always try and stay calm if you are approached by someone claiming to be from Google support, which I know is easier said than done in times of stress. Google support will not phone you so there’s a massive red flag right away, and no harm will come to you if you hang up. Also, make use of all the tools that, ironically in this case, Google itself provides to help you. As our hero did, search for the phone number to see where it’s really coming from and do so without rushing. If the caller tries to hurry you along, that’s another red flag right there. Also, check your Gmail activity itself to see what, if any, devices other than your own have been using the account. If there are none that you don’t recognize then no “hacker” has been using your account as claimed.
The Google Security Response To Gmail And Other Scammers
Google, as you would hope, has not been sitting back and just watching how security threats against Gmail users and Google account holders are evolving without fighting back. Most recently, Google announced that it has joined forces with the Global Anti-Scam Alliance and the DNS Research Federation to form the Global Signal Exchange to act as an intelligence-sharing platform providing real-time insight into the cybercrime supply chain. Amanda Storey, senior director of trust and safety at Google said that “GSE aims to improve the exchange of abuse signals, enabling faster identification and disruption of fraudulent activities across various sectors, platforms and services.”
I would also recommend using Google’s Advanced Protection Program to add extra layers of security to your Google account and, therefore, your Gmail account as well. Although originally aimed squarely at the likes of high-risk users such as activists, politicians, famous individuals and journalists, Google’s APP has become a de facto tool for anyone looking to give their account the highest level of protection from attack. There is no longer a financial burden as Google has enabled passkey support for APP users now instead of the requirement for an expensive pair of hardware account authentication keys. This opens the protection up to anyone with a smartphone, which is pretty much everyone.
And when it comes to defensive AI, for want of a better term, Google has already brought that to the commercial side of Gmail with paid workspace account holders getting access to a new and powerful security advisor tool. What this adds to the Gmail protection party is a security sandbox that enables secure scanning for malicious malware that oftentimes hides within email attachments. The security advisor also enables enhanced safe browsing by scanning incoming messages for malicious content, this time doing so before that email has even been delivered to the user’s Gmail inbox.
The moral of this lengthy tale, then, is that what might seem like a draconian step by Google inclosing down harmless dormant Gmail accounts is anything but. Google is playing the security card, and we should be grateful that it is. After all, Gmail hackers hardly need any more help in carrying out their nefarious acts.
