Ghost account

Ghost accounts are inactive or unused online accounts that have not been deleted by the user. They shapeshift–from a neglected, forgotten or no longer accessible social media profile to an abandoned email account. 

Most people have an account they no longer use. But while abandoned accounts may seem irrelevant to the user, they can be a jackpot for hackers. Their dormant status grants quick and easy access for hackers interested in exploiting personal data in the commission of a cybercrime. They can also be used to spread propaganda. 

How it works:

Typically, hackers will perform “credential stuffing” or “password spraying” to breach ghost accounts. “Credential stuffing” gathers already leaked usernames and passwords (often purchased on the dark web and uses an automated tool to submit the credentials into hundreds of applications and online services.

“Password spraying” is a less precise, brute-force attack that tests popular passwords against random usernames (this is commonly effective when an application or service sets a default password for new users). Both methods are quick and can yield a high percentage of hits depending only on the quality of the passwords protecting accounts.  

To the hacker’s advantage, much of this activity goes unnoticed since abnormal behavior is happening in a sort of cyber-no man’s land.  

Account Takeover Attacks: What Do They Look Like?

Cyberattacks that leverage ghost accounts are often referred to as Account Takeover Attacks (ATAs)

There are a few different ways ATAs are carried out. 

A hacker commonly executes an ATA for financial gain. After breaching a dormant account, the hacker may make large purchases. They will typically do this quickly before the victim notices the crime. ATAs result in billions of dollars of fraudulent activity every year. 

It’s important to note that these attacks often result from poor password hygiene, specifically password reuse. It’s not unusual to provide minimal personal information on an account (think free trials). The value to the hacker is when the credentials used on the free trial match your bank login credentials.. 

Other forms of ATA: 

ATAs can be used in large-scale scams as well. In 2017, cybercriminals breached a honeypot of stale accounts among Amazon’s third-party sellers. They then posted fake items on Amazon’s site, and collected thousands of dollars in fraudulent sales. This malicious activity went entirely unnoticed by Amazon until customer complaints began flooding in. 

ATAs also occur on popular sites like Twitter or Facebook, where ghost accounts can be harnessed for use as a political tool to push various agendas or misinformation. Twitter has deactivated millions of exploited profiles in an attempt to curb the misuse of ghost accounts. 

Key Takeaways: 

Just because you are no longer using your accounts, it doesn’t mean someone else isn’t, and this poses a major security risk. 

To protect yourself from ATAs, compile an inventory of your unused accounts. This may take some digging: Hunt for them in your email inbox, check for accounts where you used Google or Facebook to log in, and check sites like

Sites like Just Delete Me and Account Killer can also help. 

Next, make sure to delete – and not merely deactivate – your account. 

Finally, avoid using default passwords which increase your vulnerability to automated password spraying. A password management system can help maximize your online security.