Author: Fel Gayanilo, Secretary General, Cybersecurity Advisors Network (CyAN)
Forgotten online accounts pose a hidden cybersecurity risk, especially when linked to outdated recovery details and recent data breaches.
Proactive digital hygiene—like updating info, enabling MFA, and deleting unused accounts—is essential to protect your identity.
I want to tell you about a friend of mine. Years ago, this friend signed up for a Qantas Frequent Flyer account. Like many of us, it was a set-it-and-forget-it situation. The password was never updated. The account still had an old phone number and email address attached. When my friend recently tried logging in, the recovery process failed completely. There was no way to get the reset code or verify the account. Locked out and frustrated, my friend gave up.
What this friend did not realise was that the timing could not have been worse. Just last week, Qantas confirmed that the personal details of up to six million customers were compromised. The breach happened through a third-party customer service platform. Exposed information included names, email addresses, phone numbers, dates of birth, and Frequent Flyer numbers.

“In the current threat landscape, organizations need to implement an AI-driven identity architecture that continuously assesses data exposure, application risks, threat vectors, and posture vulnerabilities across both human and machine identities. This enables automated enforcement of Least Privilege principles, mitigating the risk of identity-based attacks and preventing severe security breaches.”
Bharat Raigangar – Global Head of Cyber, Risk & Compliance- Board Advisor
Although passwords and payment details were not part of the leak, this should still be a serious wake-up call. Anyone with a forgotten or neglected account could be exposed, even if they are no longer actively using it.
I break this down in more detail in my latest article: The Qantas Breach: What We’ve Learned and What You Can Do Now
In that piece, I explore how threat actors take advantage of overlooked access points and third-party services. The Qantas incident highlights how breaches are not always about a company’s internal system getting hacked. Sometimes, it is about the people and systems around it. And sometimes, the most vulnerable target is a forgotten account that no one is watching.
This situation lines up with a recent article by Amber Bouman, published on Tom’s Guide. The article is titled “Your Old Accounts Are an Online Gold Mine for Cybercriminals — What You Need to Do Right Now to Stay Safe.” Amber explains how outdated accounts are often protected by weak passwords and cannot be recovered if your old contact information no longer works. These are the accounts criminals love to find, because they are easy to take over and hard to trace back to the real owner.
When you look at both stories side by side, the risk becomes very real. On one hand, a breach leaks your information into the wild. On the other hand, your ability to do anything about it is blocked because you have lost access to the account. It creates a dangerous gap that many people do not even know exists until it is too late.
“In cybersecurity, it’s not always the systems you monitor that fail you—it’s the forgotten ones you don’t. Vigilance over every digital footprint is no longer optional; it’s essential.”
Fel Gayanilo, Secretary General, Cybersecurity Advisors Network (CyAN)

Here is what I recommend for everyone reading this:
- Go back and check your old accounts. Airline programs, shopping sites, subscriptions you no longer use and anything you might have signed up for years ago.
- Make sure your recovery details are updated. Use a current email address and phone number.
- Turn on multi-factor authentication whenever possible. Even a basic second step makes a big difference.
- Delete accounts you no longer use. If there is no value in keeping them, closing them removes the risk completely.
- Have this conversation with your friends and family. Most people do not think about these things until something goes wrong.
Cybersecurity is not just about firewalls and encryption. It is also about personal responsibility. Your digital footprint is your responsibility, and the decisions you make now will affect how easy it is for someone else to walk in later.
A forgotten account may not seem important, but in the wrong hands, it becomes an open door. Security starts with awareness, and awareness starts with small actions that you can take today.
You can read Amber Bouman’s full article here: @Tom’s Guide – Your Old Accounts Are an Online Gold Mine for Cybercriminals https://share.google/TElC5YvxVhjQHkjhi
And if you want to understand how this connects to the Qantas breach, my full article is live here: The Qantas Breach: What We’ve Learned and What You Can Do Now https://www.linkedin.com/pulse/qantas-breach-what-weve-learned-you-can-do-now-fel-gayanilo-aqpoc
Take a moment this week to check your old accounts. The longer they sit forgotten, the more useful they become to someone else.
About the Author
Fel Gayanilo is a cybersecurity enthusiast – currently Security General at CyAN, where he combines his leadership, communications and technical curiosity to help build a robust and secure digital world. His journey into the Cyber arena began with a career in hospitality and operations, we he infused adaptability, people skills, and strategic thinking that thrive in high-pressure environments.
He holds a certificate IV in Cybersecurity from
Melbourne Polytechnic and expertise in Identity Management- Governance- Penetration Resilience. He is an insightful author making complex topic approachable to the GenZ and GenAlpha.