How to find forgotten accounts tied to your email
Surface old accounts you signed up for years ago and forgot about — the ones still holding your name, photos, and personal data. An email-based playbook for shrinking your attack surface.
Published 2026-04-14 · 5 min read · CheckMate Blog
Every adult with a decade of internet history has a trail of forgotten accounts: the old forum you registered for a single comment in 2014, the dating app you deleted off your phone but never from the server, the crypto exchange you signed up for before you finished reading the whitepaper, the fitness tracker, the photo-sharing site, the beta of a service that no longer exists. Each of those accounts still stores your email, a password hash, and whatever data you uploaded. Many have been in a breach you never heard about. Finding them is the first step to closing them — or at minimum knowing what's out there.
A forgotten account is not harmless. It is a live attack surface. The password you used in 2014 was probably reused, or close enough that a modern guesser can crack it from a breach dump. The email address attached to it still routes to you. Any personal data you entered — real name, birthday, home town, photo — is still sitting in that service's database, and will leak the next time someone left the door open. You don't need to care about every old account. You need to know they exist so you can decide.
- Security: old passwords get leaked and credential-stuffed against your modern accounts. A forgotten account with a reused password is a backdoor into your current life.
- Privacy: photos, biography, location history, and contact details you entered years ago are still queryable. Future-you might not love that.
- Hygiene: some services auto-renew subscriptions, send marketing emails, or keep targeting you with ads long after you stopped caring.
- Identity clarity: if someone googles you, forgotten accounts can shape the impression — an abandoned dating profile from 2016 is not the introduction you'd pick today.
The fastest way to enumerate forgotten accounts tied to an email is to run the email through an OSINT aggregator that checks hundreds of services at once. CheckMate.bio is built for exactly this — it takes an email and returns every public service that recognises it, grouped by category, with confidence scores.
- Open checkmate.bio and enter your primary email. The free scan returns category counts — social, dating, gaming, forums, shopping, crypto, and so on. This alone often surprises people.
- If more than five categories come back, unlock the detailed report (~$0.99). You get per-service results: service name, profile URL, username, creation date, and last-active date.
- Skim the list for names you don't remember creating. Forgotten accounts usually cluster in three places: forums tied to a single hobby you dropped, services that rebranded or got acquired (you signed up for X, now it's called Y), and apps you tried once from a deal or referral.
- Note the 'Account created' and 'Last active' dates. Anything with creation >3 years ago and last active >1 year ago is a strong candidate for 'forgotten'.
Most people have more than one email address: a primary one, a throwaway for signups and receipts, an old school or work address, sometimes a first-gen Hotmail/Yahoo address from the 2000s. Forgotten accounts usually live on the throwaway and the legacy addresses — that's literally why you created them. Run CheckMate.bio on every address you've ever used. It is the single biggest multiplier on how many forgotten accounts you surface.
- Primary email: the accounts you consciously maintain plus a few neglected ones.
- Throwaway or 'signup' email: the motherlode. Every product trial, coupon code, and app you tried once.
- Old school or work email: accounts you created before you had a personal brand — forums, gaming profiles, early social networks.
- Legacy first-email addresses (Hotmail, Yahoo, AOL): often still receive breach notifications and reset links, still active even if you haven't opened them in years.
Not every match is a forgotten account — some are current accounts you simply don't think of every day. Use these filters to separate forgotten from active.
- Creation date more than three years ago AND last active more than one year ago: high probability forgotten.
- Service you don't recognise by name: open the profile URL. If the bio, photo, or username is yours but you have no memory of it, that's a forgotten account.
- Category you'd never use today (old-school forum, defunct social network, niche hobby platform): almost certainly a forgotten account.
- Confidence 50%–80% with an unfamiliar username: worth investigating manually. Might be you, might be a name collision.
Once you have the list, decide per-account. There are four reasonable options.
- Delete it. If you don't want the account, go to the service, log in (use the 'forgot password' flow), and use the in-app delete option. Under GDPR/CCPA you can also email their privacy contact and request erasure if the UI doesn't offer it.
- Secure it. If you might want it again, change the password to a unique one from a password manager, enable 2FA, and check what personal data is attached. Keep the account but close the holes.
- Migrate the email. If the account is tied to a legacy email you want to retire, change the account email to your current primary before you abandon the old inbox.
- Leave it and document. Some accounts can't be deleted (or the company no longer exists). Note them in a personal record so future-you knows why that profile shows up in a search.
CheckMate.bio is the fastest single source, but combining it with a couple of other sources gives you a more complete picture.
- Search your own inbox for the word 'welcome', 'verify', or 'confirm your email'. You'll find signup receipts going back years — each one is a forgotten account.
- Check your password manager (if you use one) for entries you haven't touched in two years.
- Run your email through haveibeenpwned.com to see which breaches it appears in. A breach on a service you don't remember using = a forgotten account.
- Check Google / Apple / Facebook sign-in history: 'Sign in with X' accounts are easy to forget because you never had a direct password.
Everything above is about your own email. If you're helping a family member — an elderly parent who lost track of their accounts, a deceased relative's estate, a friend recovering from identity theft — make sure you have their consent or legal authority first. CheckMate.bio returns publicly observable data, but the decision to act on that data (deleting accounts, contacting services) belongs to the account holder or their authorised representative.
You can't secure what you don't know exists. Finding forgotten accounts is the cheapest security upgrade you can give yourself in an afternoon.
CheckMate.bio groups findings into categories (social, gaming, dating, adult, finance, professional, and more) and attaches a confidence score to every match. A score of 80% or higher means the email is almost certainly linked to that service. A score between 50% and 80% is a likely match. Anything below 50% lands in the 'Possible matches' section and should be treated as a weak signal, not a verdict.
- Categories show the kind of accounts that exist — the shape of someone's online footprint.
- Per-service fields (usernames, display names, bio text, last active dates) help you confirm whether the match is really the person you care about.
- Confidence scores help you separate solid matches from noise. Treat low-confidence hits as leads to investigate, not as proof.
CheckMate.bio indexes public and breach-derived data. It does not grant access to private messages, passwords, or anything you wouldn't be able to find with enough patience and the right search queries. Use it for the same reasons you'd Google someone — safety, due diligence, re-connecting with people, or simply knowing what a public profile says about you. Be honest about your reasons, and respect the answer you get.