Deleting Old Accounts, or locking them?

No idea where this goes, so…

I’m in the process of cleaning out 15 years worth of accumulated Passwords in my Password Manager.
A LOT of accounts that are in there are either not needed anymore, services don’t exist anymore, or where just onetime logins for various reasons.

So, with that said, what’s the better idea? Request deletion of the accounts at their respective website, or setting a really secure Password that i don’t save and changing the email to one i won’t use to lock the account?

I can see a benefit in either. The first deleting (potentially) my data, the second restricting future access to my username.
I’m really uncertain which is the better idea here…

Wouldn’t some of those be gone because of gdpr?
I’ve gotten mails from some sites, informing me that if I didn’t log in within a few weeks, they’d delete my account because of gdpr.

If I were to do what you’re in the progress of, I’d use the password generator in your manager, and have it generate some insane passwords and then swap out password and email address on the account’s.

You could of course ask the sites to delete, but their response time might be long, which would drag out the progess to much?

Edit - typos

Some/Most sites offer an option to delete accounts in their settings. Though not all of them. Those that don’t, get locked for sure.
Still not sure on those where i can just delete the accounts through my account settings.

For some i have gotten mails, but certainly not all of them.

Why? Are you suspecting that they’ll just deactivate it, and not properly delete the data?

Either that, or that usernames might be “reusable”. So, after me deleting my account, someone else could maybe register with the same username.

It’s not that i’m THAT worried. There isn’t too much stuff where i’d care. I’d just like to take the “best” route when i’m touching all of those accounts anyways. It’s a bunch of work and i’d rather not do it twice.

1 Like

Some do just that. Either deactivate or randomize the account name and password.

I asked EA’s customer support to delete my EA account back in 2015, which they claimed they’d do. They wouldn’t even be able to inform me that the deletion was done because “all the data including contact info would be gone”.

Fast forward to 2 months ago, when I suddenly received an email from EA to inform me that I received a badge for being an EA member for x amount of years.
Tried logging in, didn’t work. Clicked the “I forgot my password” link, entered my email address … and they mailed me a link that allowed me to enter a new password. I do that, log in with my mail address and password, and end up in the control panel of an account named elrdgiufsdrogmn (or something like that).
Turns out they simply renamed the account, changed the password and unlinked the games that I bought. It was still linked to the old mail address though.

I then asked them again to delete the account, properly this time. It’s been 2 months now and I can still see my EA Answers HQ profile page … with my original (pre-deletion) username. I’ll try again early next year. If I can still get into the account, I’ll escalate it.

I always delete accounts on services that I don’t use. If I have to change email and lock them up is just as time consuming to click a few buttons to ask for deletion.

Some services would need to keep account details, even if inactive, for years, if there are financial transactions. Others might need to retain data for legal reasons.

I just generally expect the worst. That a company would keep the data, but mark it as inactive/private/“”Deleted”” because what would have happened?

And I am cynical

That was before GDPR.
Now the EU court can proper mess a company up that keeps data it has been asked to remove, UNLESS THEY HAVE A GENUINE NEED TO RETAIN, like for legal/financial records

decide on a case to case basis, some sites you will want to delete your account.
Some things like facebook, once you’re in it’s hard to leave if you have stalkers in particular, there is a bogus profile that was created with a female name and changed it’s name to my name sometime afterwards, it’s a really obvious bogus profile and I guarantee that if i delete my account it will change it’s profile picture to me and start to impersonate me so i’m effectively stuck there.
By the by, password managers are a honey pot and targeted, I’ve seen customers (hotel owners mostly) who were having all their email repeatedly accessed no matter how many times they changed their passwords, the only new thing since my previous visit was they were using 1password on all their PC’s and his personal phone, my money is the phone being the weak link but i have seen one other customer that was literally passed onto scammers impersonating telstra support by a legit telstra support worker because they outsourced all that years ago so now we all live in scammer hell

Personally, I would not trust that someone will actually delete an account or some data. I know from experience that it’s the opposite. You can ask for and delete requests and they keep everything anyway.
Some time ago we had a big leak in the customer base of a large store. Despite the fact that people submitted requests to the store to delete their account and data, the store kept them for years and when the data leaked, everything came to light.

1 Like

Export data where applicable, delete.

Overall its better to delete accounts so that you could be protected from future decisions that decide to hide you info rather than delete it outright.

Just make a folder to put deleted accounts for future reference.

Disable them, put them in a seperate OU, unless (or UNTIL) you legally HAVE to delete them.

Otherwise, once deleted, if they have permissions on anything in your environment, once the account is removed, all you’ll see is a random SID number and won’t know who it was, which can be useful for determining whether something is needed on your filesystem, etc. Or who the new owner should be.

Could also make forensics harder if the accounts are removed, as again you may just be dealing with SIDs everywhere.

ack… that’s from an admin perspective. From an internet end user perspective… eh… whatever. I’d just make sure they don’t use any passwords, remove my credit cards from them (and/or get a new card) and move on. May be useful to keep contact enabled so that if a service is ever compromised, you are informed of it.

What I’ve personally been doing over the past couple of months is going through all of my old emails, finding all the companies that have emailed me anything, going to their website, finding their GDPR/Privacy Officer (I “obviously” live in a EU country, and am totally not lying), and email requesting them to delete all of my data. It takes a couple of hours to find all the companies, but at least there’s a paper trail if I find out they didn’t delete anything. Been repeating these steps for many of my old email addresses.

I’ve got a buddy that prefers to offer false info in his accounts so that even if they are compromised the info will appear legit but won’t actually be useful for anything.

1 Like

Me every time I create a new account which doesn’t actually need my personal information (ex. Google, Facebook, and nearly everything else).

Fake name, phone number, birth date, address, fake gender, and “fake” email address (or a unique email alias if it requires a legit email).

I just realized that providing alias information will not help you, especially when using paid services which sucks. I envy North Americas because at least they have something like card.

1 Like

An interesting side effect to offering false info, is if someone is selling your info and spamming you, you will have an idea where it came from if you keep a log of what info you used where.


When i wasn’t a slacker and maintained my own email domain (which i really should set up again) i always used to generate an email address @ my domain for every subscription for this exact reason


[email protected]
[email protected]
[email protected]

works well, and gives you an idea of who to boycott.

We dont call them false info. Its more like alias identity.