Sites should periodically delete old & inactive accounts


Sites need to periodically delete old and inactive accounts so that even if compromised, they do not put inactive users in danger. I recently got an email from myfitnesspal that I had not changed my password since it was compromised in March. I do not remember reading the first email and it had landed on my spam. I had may be created an account with them probably a few years ago and never used it. My account had been empty all this time but I had a generic password I use on multiple sites.

Sites can benefit with reduced storage, database overhead which can speed up website load times. At the same time inactive users will have a peace of mind that their data isn’t lingering on some site. Sites that utilize usernames as primary identity can also flush old usernames so new users can use realistic usernames without long numbers. As much as it helps with security, it’s good for user privacy as well.

Some sites already do this well. When an account has been inactive for a duration they generally send email notifications that an account will be marked for deletion unless the user wants to continue using the site. Once the user logs in again, the counter is reset and will be considered active account for some time. But I’ve come to found that they are rare. Company websites like to hold on to data as long as possible and wager it as assets to stockholders. But a breach of data never looks good on anyone.

Some companies are acknowledging their data breach long after the incident and also sending acknowledgment emails gradually to the customers. Even a few days later in an incident when I had read the news on other forums about the said emails. It could be that their email server is queuing them up or to mitigate overwhelming surge of a request from all over the world. But the incident of data compromise and prompt notification can reduce the impact of the damage considering same companies have no problem sending out promotional emails to all the users at the same time. Users of companies that deal with emails and other sensitive information can have their work and life ruined.

Our forum although mostly inactive already has a plugin which finds old inactive accounts and sends them email for one last chance for avoiding deletion. If no response is received, it automatically deletes the account and saves us some database space. While it may not be significant savings, many are accounts created by bots to spam which never login again which reduces spam on your site as well.