According to reports, Google will start deleting Google personal accounts that have not been used for 2 years by the end of this year. The rationale is that Google has found that an account is more likely to be compromised if it has not been used for a certain period of time.
The passwords used by these accounts that have not been used for a long time are generally old or reused passwords, and the probability of the associated password being leaked is greater, and most of the old accounts do not use two-factor authentication and do not set up security checks. Google Analytics found that these unused or abandoned accounts account for only 1/10 of active accounts when it comes to setting up two-factor authentication. That is, these accounts are compromised and can be used for identity theft and other malicious purposes, such as sending spam.
In fact, Google's consideration is not without purpose. The security risks of accounts that have not been used for a long time mainly come from loopholes in supervision and maintenance. This requires organizations or individuals to actively discover and pay attention to these accounts, and conduct a comprehensive cleanup and inspection of their passwords, permissions, data, and third-party cooperation. Minimizing potential risks is also one of the key links in account security management.
Because accounts that have not been used for a long time have risks of weak passwords, excessive permissions, sensitive information and data that have not been cleared, risks of being in the "dead corner" of the monitoring system, and risks of third-party collaboration (failure to unbind or authorize third-party applications in time) , important business risks (accounts that have not been used for a long time may correspond to important business systems or processes), system vulnerability risks (operating systems that lack maintenance and updates may be associated with accounts that have not been used for a long time), risks of uncleaned devices (these devices may be tied Some long-term unused accounts), and so on.
In addition, some third-party platform accounts (for example: Apple developer account, Zhihu account, Toutiao account, Baidu promotion account, etc.) are applied by individual employees in the name of the enterprise, and are usually bound to the employee's personal mobile phone number. When employees leave or transfer jobs, they may forget to hand over their accounts or change their mobile phones, resulting in loss of account control, and may even cause legal and public opinion risks due to malicious theft.
In addition, some third-party platform accounts need to be shared by multiple people within the company or within the department. The account permissions may be too large, and the responsibilities may not be clear, and there is a security risk of account theft and abuse. In short, during the business process of the enterprise, the enterprise account has the following security risks:
1. Password security risks. Simple or repeatedly used passwords are easily guessed or cracked, resulting in account theft;
2. The risk of excessive authority. The permissions assigned to some accounts are too loose, which will cause serious impact if they are hacked and used;
3. Shared account risk. Multiple users share a single enterprise account, there is a risk of being stolen and abused, and if the account is hacked, it will affect multiple people;
4. The risk of leaving the account. The corresponding account is not disabled in time after the employee resigns, which is easy to be used illegally;
5. Third-party access risk. If the interface between the enterprise system and third-party applications or services is not configured with security and identity verification, the third-party account may also enter the enterprise system if it is compromised;
6. Data breach risk. If the data corresponding to the enterprise account is not classified and protected, once it is compromised, it is vulnerable to data leakage;
7. Endpoint Security Risks. If the security protection of the work terminal where the enterprise account is located is not in place, it is easy to become a springboard for attackers to invade the enterprise network and account;
8. Online login risks. The online login ports of various web application management backgrounds and mobile applications opened by the enterprise system are easy to be cracked by passwords if strong authentication methods such as secondary verification are not adopted;
9. Risk of insufficient monitoring. The use and access of corporate accounts are not monitored in a timely and comprehensive manner, making it difficult to detect security attacks.
Then, in the face of problems such as accounts that have not been used for a long time, accounts that employees apply for personally, account sharing, and account permissions that are improper...how can enterprises safely manage these out-of-control accounts?
Digital Shadow account manager can realize full-platform account management, automatic login of any application, and provide industry-leading data security technology for the security of enterprise account assets. On the premise of not revealing the account password, it is safe, convenient and efficient to share application login and usage permissions among team members.
Digital Shadow Account Manager is an independent third-party account secret custody service, which can provide enterprises with a secure account management and application access control management platform to protect enterprise account assets. Log in to all three-party apps with one-click data shadow, and share app usage permissions with employees safely and conveniently without sharing account secrets. Moreover, the account secret is stored under strict AES256 encryption, and the data cannot be leaked or snooped.
The management capabilities of the digital movie account manager
Automatic discovery: Automatically discover unmanaged accounts and unauthorized account modifications during application use.
Account escrow: For internal systems that have not been connected to SSO, or third-party applications (including client applications), escrow account secrets, and assign usage permissions to team members in the background.
Account secret hiding: Through automation technology, the automatic login of the application is realized, and the user no longer has the application password, which completely solves the problem of account security.
Screen recording audit: fully restore user operations, make up for the system's own log completion defects, and privileged accounts support real-time screen recording audit.
At the same time, for specific application accounts or specific positions with high mobility, there are security risks such as difficult account inventory, easy account theft, and account failure to recover in time. Managers often reuse existing accounts. Using Shuying can reduce frequent account creation. , assigning permissions, and recovering account management costs.
Finally, I want to say that in order to reduce related risks, Google may delete the account (not logged in for at least 2 years) and account-related content, including Gmail, Google documents, calendars, meetings, photo albums, etc. This policy only applies to Google personal accounts, and does not affect business and organizational accounts, such as schools, businesses, etc.
Although the policy has come into effect recently, Google will not delete unused accounts immediately. The earliest time Google will start deleting accounts is December 2023. Account deletions will also be phased in, starting with accounts that have been created and never used. In addition, Google will send multiple deletion notices to the account email address and recovery email address for several months before deleting the account.