Google has updated its inactivity policy for personal accounts to two years, in an effort to reduce the risk of accounts being compromised.
It said on its blog that unused accounts were often vulnerable to hacking, posing a risk of identity theft or unwanted content. Google’s internal analysis shows abandoned accounts are at least 10 times less likely to have two-step verification set up than active accounts.
The policy will apply across Google’s products and aligns the company with industry standards around retention and account deletion. However, the change will not affect accounts for businesses or schools, and Google will not begin deleting inactive accounts until December 2023. Before deletion, users will be sent multiple notifications over several months.
To keep an account active, users need to sign in at least once every two years. If an account has been signed into recently, it will not be deleted. Google has invested in technology and tools to protect users from security threats, including spam, phishing scams and account hijacking. However, forgotten or unattended accounts often rely on old or re-used passwords and may have not had two-factor authentication set up, and receive fewer security checks from users. Compromised accounts can be used for anything from identity theft to spam. By reducing the risk of account compromise, Google aims to provide safe and secure products and services for users.
