Google has announced plans to delete inactive accounts in an effort to improve security and reduce the number of compromised accounts.

According to a blog post by Ruth Kricheli, VP of Product Management, Google plans to begin deleting accounts and their content if those accounts have been inactive for at least two years. Kricheli says the accounts represent a major security risk, as they are many times more likely to be compromised.

If an account hasn’t been used for an extended period of time, it is more likely to be compromised. This is because forgotten or unattended accounts often rely on old or re-used passwords that may have been compromised, haven’t had two factor authentication set up, and receive fewer security checks by the user. Our internal analysis shows abandoned accounts are at least 10x less likely than active accounts to have 2-step-verification set up. Meaning, these accounts are often vulnerable, and once an account is compromised, it can be used for anything from identity theft to a vector for unwanted or even malicious content, like spam.

Google’s previous inactive account policy allowed for content to be deleted, but the account itself would not be. This new policy is a departure from that policy, with both content and account up for deletion.

To reduce this risk, we are updating our inactivity policy for Google Accounts to 2 years across our products. Starting later this year, if a Google Account has not been used or signed into for at least 2 years, we may delete the account and its contents – including content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar), YouTube and Google Photos.

Fortunately, with a two-year window, keeping an account active shouldn’t be all that hard.