Your old emails might be harboring dirty secrets: delete them while you can


We’re all guilty of keeping emails in our inbox for far too long. You might have tens of thousands of emails in your inbox right now. But is it safe? We asked cybersecurity experts to weigh in on the topic and answer the question: should we keep ancient emails in our inbox?

Recently, a Reddit community posted an interesting thread titled ‘How old is your oldest email?’

The post said:

ADVERTISEMENT

“We found an old Toshiba Satellite laptop the other day in a closet that was still operational. Fired it up. Windows 95. Had Groupwise Remote on it with a few mailboxes intact. One of them had emails dating back to 1996. I'm pretty sure those are the oldest living emails in our organization by at least a few years. It was like opening up a time capsule. What's the oldest email you've seen in your organization?”

Some of the comments mentioned that they’ve had emails in their inboxes since 1996, and this got me thinking: Is it safe to keep emails in your inbox for decades?

Think of the treasure trove of potentially sensitive information just waiting to be snatched up by threat actors if you don’t regularly clean your inbox.

But what’s the worst that could happen? I consulted experts to help me answer the question and to answer the question.

To clean or not to clean?

PII in your inbox

While it might be tempting to store private and company information in your inbox – and email security has certainly improved over the years – many experts agree that this isn’t a good idea.

“An inbox is not inherently a safe place to store sensitive information. While email providers implement various security measures, inboxes are frequent targets for cyberattacks,” said the CEO of SubRosa Cyber Solutions, John Price.

ADVERTISEMENT

It’s never wise to keep emails containing personally identifiable information (PII) in your inbox, as email is one of the easiest ways cybercriminals can catch you.

However, this topic isn’t as simple as it may seem. While email, especially older emails, might not have the right security measures, the security of your emails depends on what provider you use and the type of email.

“It’s a complex question and depends on many aspects, such as whether the inbox is cloud-based or stored on your computer. Is it encrypted or stored in plain text? What service do you use, and what methods and tools do you use to keep your accounts and passwords safe?” said Nati Tal, Head of Guardio Labs, a company that manages new security threats across the internet.

However, if you want the abridged answer, then it’s a decisive no, Tal continued.

Ancient emails: keep or delete?

But what about old emails?

Surely, older emails will only contain outdated information that doesn’t attract any unwanted attention?

“Keeping old emails, especially those from decades ago that contain sensitive information, poses significant security risks,” Prince said.

Specifically, emails are stored in insecure formats or systems that aren’t adequate today.

“Old emails may contain outdated security measures that are no longer effective, making them vulnerable to attacks," said Senior Manager of Security Operations at CrashPlan Fletus Poston III.

ADVERTISEMENT

Furthermore, older emails may not be stored in secure formats, leaving you vulnerable to attacks.

However, some things aren’t necessarily related to email security that would make you think twice about keeping old emails.

“Am I especially worried about what a bad guy could do with all the email invoices from the electric utility company from back when I lived in Miami years ago? Not so much. Did I ever write an email years ago that would potentially embarrass me today? Probably! Thus, keeping old emails around forever is perhaps not the best thing to do for reasons, not limited to security best practices,” AI Iverson, industry research and community engagement lead at Valimail, said.

According to UST Chief Information Security Officer Joey Rachid, keeping a lot of old emails, especially those that contain sensitive information, widens your attack surface.

“Storing old emails increases your attack surface. In other words, the more data is stored, the larger the attack surface. This increases the potential vulnerabilities that could be exploited.”

How could your emails be exploited?

Focussing on the word exploited, bad actors could leverage information from your inbox to craft more strategic and convincing phishing attacks on you.

Email inboxes are a rich source of information for cybercriminals, and all our email accounts are constantly under siege from spearphishing and imposter attacks. An email box is far more likely to be compromised by an uncautious user than lost by the email company that hosts your messages, cybersecurity expert and former FBI Operative Eric O'Neill said.

Most bad cyber situations happen in the email environment. Hackers will skulk around unsecured inboxes looking for valuable information, Prince said.

“Hackers may attempt to breach accounts to access personal or business information stored in emails, which can then be used for identity theft, financial fraud, or corporate espionage. Therefore, it's advisable to store sensitive information in more secure environments, such as encrypted storage solutions specifically designed for data protection.”

ADVERTISEMENT

Securing your email environment is essential if you’re running a business because if cybercriminals breach business emails, you and your clients could be at risk.

What if you were hacked

So, what happens when your inbox containing a treasure trove of information is compromised?

“If your system is hacked and old emails are obtained, those individuals are now at risk, as is your business reputation. When hacking occurs, a business wants to contain the hacking to have the most minor damage. Otherwise, great financial and reputational harm can spread far and wide, Senior Associate at Cyber Law Firm Melissa Sherman said.

On an individual level, your inbox could attract the attention of people who are looking to scam and swindle you.

“Old emails may contain outdated passwords, credit card numbers, or other sensitive information that could be exploited by attackers. Malicious actors might use old email addresses to send targeted phishing attacks, trying to trick users into revealing login credentials or other sensitive data. Keeping old emails can attract unwanted attention from spammers, scammers, or even law enforcement agencies,” Poston said.

Ancient emails hold more power than you think, as they could allow bad actors a glimpse into your life and allow them to capitalize on all the information you’ve allowed them to see.

“No matter how unlikely a threat, old emails serve as breadcrumbs into your past, present, and future. A hacker could compile contact information to steal your identity. Someone could piece together keywords to guess your passwords (like figuring out your maiden name by looking at an email from your grandmother). An attacker can use your employment history or information about your family to gain your trust through a scam or blackmail you for money. Past emails could even implicate you or someone you know in a civil or criminal case,”

Joe Warnimont, Security and Technical Expert at HostingAdvice, said.

Avoid compromise: drag and delete

ADVERTISEMENT

The best way to avoid compromising the sensitive information in your inbox is to ensure that there is no personally identifiable information (PII) that can be exploited.

Many experts agree that you should regularly delete unnecessary information from your inbox and store emails that include personal information in a secure location, like a ZIP folder.

Use encryption and secure storage for business accounts. You don’t want your customers' personal information leaked due to poor cybersecurity practices.

What comes first is a secure and safe email environment. Here are some ways you can achieve this:

email-infographic
Made with Infogram

“Practice what I call email archeology. Take care when examining email. Hunt for the threat, and do not blindly trust what you read. Remember, cybercriminals are masters of deception, and email is their greatest weapon. Trust nothing, verify everything,” O’Neill concludes.