Every digital footprint assessment I run surfaces the same pattern. The client has strong passwords on their current accounts, two-factor authentication on their banking, and a reasonable handle on their active online presence. Then I pull their breach data and find 40 email-password combinations sitting in public databases. Their first reaction is always the same: “That’s an old password, I don’t use it any more.”
That reaction misses the point entirely. The threat comes from the forgotten accounts that still use that password, not the credential itself.
Old online accounts: how the attack chain works
The attack operates as a chain, and each link is mundane on its own. Someone obtains your email and a breached password from a 2016 data dump. They do not try to log into your bank with it. They try to log into the forum you signed up for in 2015, the cloud storage trial you forgot to cancel, the social platform you used for six months then abandoned.
Those accounts are almost certainly still active. They almost certainly still use that old password, because you never went back to change it. You forgot they existed.
Once inside a forgotten account, the attacker is not interested in the data stored there. They are looking for the data that lets them move sideways. A recovery email address that is still active. A phone number you still use. A linked social media profile. An authentication provider (Google, Facebook, Apple) that reveals which services share a single sign-on. Every forgotten account is a potential door into your current digital life.
I have mapped this chain across hundreds of assessments. The pattern is so consistent it is almost boring: the breach happened years ago, the forgotten accounts still respond to the old credentials, and inside those accounts sit the identifiers that connect directly to the person’s current setup.
Why “it’s an old password” is the wrong response
When someone sees an old password in a breach notification, the mental model is simple. That password is compromised, but I changed it on the accounts I care about. Problem solved. Except the problem was never about your primary accounts. It was always about the accounts you forgot.
Think about every service you have signed up for over the past fifteen years. Email newsletters. Free trials. Forums. Apps you downloaded once. Browser extensions that required an account. Gaming platforms. File-sharing services. Every one of those accounts was probably created with your main email address, a variation of the same password, and whatever phone number you had at the time.
Most of those accounts are still live. The platforms did not delete them when you stopped logging in. And many hold recovery information pointing directly to your current contact details. A Myspace account from 2008 might still list your current mobile number if you updated it at any point. A Tumblr account from 2013 might use your current Gmail as its recovery address.
The part that most digital footprint reduction strategies skip over entirely: even if the breached password itself is useless for your primary accounts, the forgotten account it unlocks contains metadata that is gold. Authentication provider details tell an attacker which accounts share a single sign-on. Linked social profiles reveal your current usernames. Recovery options expose your current phone number and email address.
The password opens the door. What sits behind it matters far more.
How investigators and attackers find your forgotten accounts
This is what I do professionally, so I can tell you exactly how it works.
Three tools perform reverse API lookups across hundreds of platforms, searching for every account registered to a given email address or phone number. OSINT Industries is the most capable. It queries hundreds of platforms simultaneously and returns registered accounts, real names, usernames, phone hints, secondary email addresses, account creation dates, and authentication providers. Epieos and EPSI cover similar ground with partial overlap and different data sources.
All three cost money. But anyone can access them for free through a Maltego trial. The Person of Interest package includes OSINT Industries, Epieos, and EPSI. The barrier to entry is effectively zero for anyone who knows the path.
Then there is username tracing. whatsmyname.app is free, open source, and searches over 500 platforms for any given username. Nine times out of ten, people reuse the same username across services. It is a natural human pattern. But it goes further than that. The prefix before the @ in your email address is almost always the same as a username you have used elsewhere. If your email is jsmith42@gmail.com, there is a strong chance “jsmith42” appears on Reddit, GitHub, a photography forum, and three other platforms you have not thought about in years.
I run these searches as standard practice in every digital footprint investigation. The average person has between 20 and 40 accounts they have completely forgotten about. For executives and public figures who have been online since the early 2000s, that number regularly exceeds 100.
Authentication providers: the invisible thread
This is the angle I think gets the least attention, and it is the one that matters most for people with compound exposure.
When OSINT Industries scans an email address, it returns authentication providers for each account it finds. That means it can identify whether someone uses “Sign in with Google”, “Sign in with Facebook”, or “Sign in with Apple” for a given platform. This creates an invisible thread between accounts that most people never consider.
If you used Google SSO to sign into a fitness app in 2017, and that app’s database was breached, the breach record does not just expose your email. It exposes the fact that your Google account is the authentication backbone for that service. An attacker now knows your Google account is worth targeting, because compromising it gives them access to every service where you used Google sign-in.
The reverse also applies. If an attacker gains access to a forgotten account through an old password, and that account shows “Sign in with Facebook” as an authentication option, they now know you have a Facebook account and can start building a target list of services likely linked to it.
For high-net-worth individuals with complex digital lives, the SSO web can be extensive. I have seen assessments where a single Google account was the authentication provider for over 30 services, many of which the client had no memory of authorising. That is not a password problem. That is an architecture problem.
Why this hits high-exposure individuals hardest
The forgotten account problem scales with two things: how long you have been online and how many services you have touched. Someone who registered their first email in 1999 and has held multiple directorships, changed addresses several times, and maintained both personal and professional online presences will have a vastly larger graveyard of forgotten accounts than someone who got their first smartphone in 2018.
Executives face a specific version of this. LinkedIn is the obvious platform, but many have created accounts on industry forums, conference platforms, early-stage social networks, and professional directories that no longer exist in their original form but whose databases persist in breach compilations. I have found breach records containing corporate email addresses paired with passwords that were clearly also used for personal accounts.
PAs and family office staff compound the issue further. Accounts created on behalf of a principal, often using the principal’s email but the PA’s choice of password, create an exposure surface the principal has no visibility over. I have assessed clients who discovered accounts they never knew existed, created by former staff using their personal email address.
The data broker pipeline makes all of this worse. Services like 192.com, Tracesmart, and PeopleTraceUK hold your current address and contact details. If an attacker combines breach data from a forgotten account with a current address from a people-search site, they have enough to attempt account recovery, SIM swap fraud, or targeted social engineering. Cifas recorded 421,000 fraud cases in 2024, the highest on record, with facility takeover surging 76% and SIM swap fraud rising 1,055%.
Closing accounts is the highest-value action most people skip
Deleting old posts is cosmetic. Closing old accounts entirely eliminates attack surface permanently. It is time-consuming, and I understand why people put it off, but it is one of the few actions in this entire space that produces a lasting result rather than a temporary reduction in visibility.
justdeleteme.xyz maintains up-to-date deletion instructions for hundreds of platforms. I recommend it to every client. Some accounts can be closed in seconds. Others require email exchanges with support teams over several days. A handful will refuse deletion entirely, at which point you exercise your right to erasure under UK GDPR Article 17.
The principle most people miss after closing an account: deletion does not remove cached search engine results. If you close your LinkedIn profile but do not request Google and Bing to delist the cached version, your professional history remains searchable for months. Every account closure must be followed by a search engine delisting request. Google’s Results About You tool handles some of this automatically, but it only covers Google. Bing delisting simultaneously covers Yahoo and DuckDuckGo. That still leaves Yandex, which investigators specifically use to find content that Google has already removed.
Most automated removal services do not touch old accounts at all. They focus on data broker listings. The forgotten account problem sits in a gap that no automated tool addresses, because every person’s account history is unique and there is no template for it. It requires mapping first, then systematic closure, then search engine follow-up. In that order.
What I actually recommend
Start with the mapping. You cannot close what you do not know exists. Run your primary email addresses and phone numbers through reverse lookup tools. Check whatsmyname.app for your common usernames. Pull your breach data from HaveIBeenPwned and cross-reference every breached service against your memory of active accounts. Anything you do not recognise or cannot remember closing is still live until proven otherwise.
For anyone with compound exposure, whether that is multiple properties, directorships, or a public profile, this is not a weekend project. The mapping phase alone typically surfaces 30 to 100 forgotten accounts, each of which needs to be individually assessed, closed, and followed up with search engine delisting requests across multiple engines.
If you want the assessment done properly, get in touch. I have mapped and closed account graveyards for executives, public figures, and families who had no idea how exposed they were through services they signed up for a decade ago and never thought about again. The forgotten account attack chain is real, it is being actively exploited, and shrugging off that old breached password is exactly the response an attacker is counting on.
