Update, Nov. 12, 2024: This story, originally published Nov. 11 now includes details of how to securely manage multiple Gmail accounts on a single device and why you should.
I like to keep an eye on the various Google support forums, including the Gmail subreddit. So, when I saw someone asking whether Google deletes inactive Gmail accounts, I was kind of surprised, given that it’s almost exactly a year ago that I started warning users of this very danger. You likely won’t have nine different Gmail accounts, each used for a different purpose, as the person asking for help, but here’s what you need to know if you have any Gmail accounts that have not been used in a while.
The New Google Policy On Gmail And Photo Account Deletions Explained
As regular readers of the cybersecurity section of Forbes.com will be aware, a Google policy change put the Gmail and Photos content of some users at risk. In a change to the inactive account policy, Google announced that from Dec. 1, 2024, certain accounts would be deleted and content such as Gmail messages, Google Photo libraries and Google Docs archives would be deleted with them.
Google actually started emailing holders of accounts likely to be affected first by the inactive accounts policy change some 18 months ago now, with those being accounts that were opened but never actually used since. More recent emails have since been sent that confirmed other Gmail and Photos accounts will be closed in due course.
The new inactive account policy from Google defines inactivity as being an account that has not been used for two years. Moreover, the policy now states, “Google reserves the right to delete an inactive Google Account and its activity and data if you are inactive across Google for at least two years.” It’s critical to point out that this only applies to personal Google accounts, so business and educational accounts are not affected. When it comes to the data our content within an account that can be deleted, Google says that this is “determined based on each product’s inactivity policies.”
These product policy definitions are categorized by Google as account activity if it meets any of the following requirements:
- Reading or sending an email
- Using Google Drive
- Watching a YouTube video
- Sharing a photo
- Downloading an app
- Using Google Search
- Using Sign in with Google to sign in to a third-party app or service
The Security Reasoning Behind The Gmail And Photo Content Purge
With some 2.5 billion active users, according to Google itself, it is no wonder that Gmail is a primary target for many cybercriminals looking to gain initial access to other networks and accounts. Now, you might think that a Google account that has remained inactive for two years is hardly likely to be a worthwhile target for a sophisticated phishing campaign, but that doesn’t make them a waste of time for an attacker to target. Ruth Kricheli, a vice president of product management at Google, said when announcing the new inactive account policy update, “If an account hasn’t been used for an extended period of time, it is more likely to be compromised.” This is very accurate as it also means the account is way less likely to have had any recent security checks by the owner, let alone be using two-factor authentication or a secure password. “Our internal analysis shows abandoned accounts are at least 10x less likely than active accounts to have 2-step verification set up,” Kricheli said. Yet that account still has value to an attacker as it can be used as a launchpad for further attacks, and that is without considering that the information stored within it could still be a treasure trove of hacker-friendly data.
Next Steps To Protect Gmail And Photo Content From Deletion
In addition to referring to the previously listed account activities, Google users looking to protect their accounts need to follow only one simple rule: log in at least once every couple of years. I’d recommend making that every three months and taking a Google account security checkup while signed in to ensure you are keeping on top of your account security configurations.
If you can’t recall the login credentials for your inactive Google account, then maybe it’s a timely reminder to use a password manager app. That won’t help you immediately, though, but all is not lost. Start the Google account recovery process which requires the entry of a telephone number or recovery email address. Most of the time entering a known telephone number or email address, regardless if you’ve forgotten the details off your account, will prove successful. Google will send a text message or email to those recovery contacts and provide the details of the accounts associated with them. Once you have this level of detail, try to sign into the account and follow the route for forgotten passwords to set off the password recovery verification process.
Just remember that Google account activity, be it Gmail or Google Photos that you are interested in, is determined by account rather than device. So be sure to take action now to prevent your accounts from being tagged as inactive and risk losing important, if overlooked, Gmail and Google Photos data.
Manage Multiple Gmail Accounts On One Device The Secure And Easy Way With Google Account Switching
I heartily recommend having more than one Gmail account, mostly so that there is a safety cushion should your primary email account be compromised and you are locked out of it and the content within. To ensure you have a copy of all your important emails, you can set up a forwarding rule so that all incoming email to that primary account is also sent to the secondary one. If you want to be uber-organized you could have different and dedicated Gmail accounts for images, documents, family correspondence and so on. The only thing limiting forwarding rules is your imagination.
To create a new Gmail account:
- Sign out of your Google Account.
- Go to the Google Account sign-in page.
- Click on create account.
To ensure that your new Gmail accounts are as secure as possible, use a passkey where possible and preferably one tied to a different device than the primary account. You could also use two-factor authentication employing a standalone 2FA code-generating app rather than via SMS to the same telephone number as previously., as this will be a less risky option.
To manage multiple Gmail accounts from a single device you just need to follow these simple steps:
- Click on your avatar in the top right of any Google service you are signed into.
- Select the add account option.
- Select an existing account you wish to add and sign-in.
- Complete any two-factor authentication requirement and add a passkey for quicker and more secure access.
- Go back to your avatar and you will have more than one account to select from and can now switch on demand.
Now that you have multiple Gmail accounts up and running and linked to each by your forwarding rules. Comes the time-consuming but absolutely necessary bit: run Google’s account security checkup for each one in. I know that this might seem like a pointless task for brand-new accounts, but I’d argue this is the best time to ensure you are not getting into any bad security hygiene habits from the get-go.
Complete Google’s Security Checkup For Each Active Gmail Account
Google’s security checkup feature is free to use and a vital weapon in your Gmail account security armory.
Head to the link above, and you will find that Google has already filled in the details before you even get there. What this entails is an analysis of your security settings as they apply to your account t along with recommended actions to bolster your security posture if needed. Although you will find the recommendations listed in order of criticality, I’d recommend taking the extra few minutes it takes to go through them all anyway, to be on the safe, and secure, side.
Expect to find measures such as turning on safe browsing in the Chrome web browser, checking those Gmail forwarding rules that you will have made already, as well as options to see which email addresses are on your blocked list. An unfamiliar forwarding rule could have been established by someone who accessed your account without your knowledge, and an address added to your blocked list could be to prevent warning emails from arriving there. So, it is worth checking both of these.