Inactive and non-maintained accounts pose significant security risks to users and businesses, with cybercriminals adept at using information stolen from forgotten or otherwise non-upheld accounts to exploit active accounts. That\u2019s according to Okta\u2019s first Customer Identity Trends Report which surveyed more than 20,000 consumers in 14 countries about their online experiences and attitudes towards digital security and identity.It found that increasing identity sprawl can trigger significant account takeover (ATO) security risks due to accounts that haven\u2019t been used or even thought about in years, particularly if customers reuse (or only slightly alter) passwords or do not perform security reviews. A breach to any service may equip a threat actor with a huge volume of user credentials and associated personal data, with attackers adept at using this information at scale to compromise active accounts including important business accounts and networks.The report came after Google announced that it is updating its inactivity policy for Google Accounts to two years, meaning that if a personal account has not been used or signed into for at least two years, it may delete the account and its contents. This includes content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar) and Google Photos, with the new rules coming into force no earlier than December 2023, the firm said.Account sprawl a contributing factor to inactive account risksThe sheer volume at which new accounts are set up creates notable account churn \u2013 a sprawl-like concept where newer accounts \u201cretire\u201d others without adding to a user\u2019s collection of active accounts. The older accounts are not deleted but often become unused and forgotten, sometimes for years. This proliferation of accounts is most prevalent among younger users, but significant across most age groups, according to Okta\u2019s report. The estimated number of new online accounts registered in the last three months by 18- to 29-year-olds is just over 40, dropping slightly to 35 and 34 for those aged 30-39 and 40-49, respectively. Those aged 60 and over are estimated to have set up around 20 new accounts in the last three months.A significant challenge of account churn is the ability to securely manage and maintain digital footprints across large numbers of accounts. Okta\u2019s report found that 71% of respondents are aware that their online activities leave a data trail, but only 44% take steps to mitigate it. Password management appears to be a particular sticking point, with 63% of respondents reporting that they\u2019re unable to log in to an account because they forgot their username or password at least once a month, the report said. While password resets are usually possible, users might decide that the process is simply not worth the effort, leading to more account inactivity. Only 52% of respondents reported that they still have access to all their accounts, while just 42% use different passwords for each account and only 29% regularly review\/change account privacy settings.Inactive accounts less likely to use MFA, receive security checksInactive accounts that haven\u2019t been accessed for extended periods of time are more likely to be compromised, according to Google. \u201cThis is because forgotten or unattended accounts often rely on old or re-used passwords that may have been compromised, haven\u2019t had two-factor (2FA) authentication set up, and receive fewer security checks by the user,\u201d the firm added.In fact, abandoned accounts are at least ten-times less likely than active accounts to have 2FA set up, Google said. This makes these accounts particularly vulnerable, and once an account is compromised, they can be used for anything from identity theft to a vector for unwanted or even malicious content, like spam.Cybercriminals prioritizing stolen credentials to enhance attacksMore than 80% of breaches involving attacks against web applications can be attributed to stolen credentials, according to the Verizon 2022 Data Breach Investigations Report. Cybercriminals are prioritizing stolen credentials to enhance attacks and bypass security measures, even demonstrating a willingness to shift away from malware in favor of credential abuse to facilitate access and persistence in victim environments. This trend has also created clear demand for access broker services \u2013 criminal groups that sell stolen access credentials. There was a 112% year-over-year increase in advertisements for access broker services identified last year compared to 2021, with more than 2,500 advertisements for access detected across the criminal underground, according to the CrowdStrike 2023 Global Threat Report.