GhostSweep
Back to blog
StoryDec 2, 2025· 7 min read

I Scanned My Gmail and Found 166 Companies With My Data. So I Built GhostSweep.

I thought I was careful about my digital privacy—strong passwords, cautious about signups, the usual. Then a late-night Gmail search revealed 166 companies with my data, and at least one had already been breached. This is what I found, why manual cleanup doesn’t work, and how that led me to build GhostSweep.

I Scanned My Gmail and Found 166 Companies With My Data. So I Built GhostSweep.

The 2 AM Wake-Up Call

It was 2:47 AM when my phone lit up.

Your data was exposed in a breach.

I grabbed my phone, squinting at the notification. Another one. This time it was for a service I barely remembered signing up for — some password manager I'd tried three years ago and forgotten about.

I lay there in bed, staring at the ceiling, and a thought hit me:

How many companies actually have my data?

I started making a mental list. Gmail, Amazon, Netflix, Spotify, my bank... maybe 30 or 40 services?

I've always considered myself "privacy-conscious." I use a password manager. I'm careful about what I share. I thought I had it under control.

I was completely wrong.

The 4 AM Deep Dive

I couldn't sleep, so I did what any reasonable person would do at 3 AM: I opened my laptop and started digging through my Gmail.

I searched for:

  • `"welcome to"` — 73 results
  • `"verify your email"` — 94 results
  • `"account created"` — 112 results

My stomach sank with each search.

I spent the next four hours clicking through emails, creating a spreadsheet, and slowly watching my "30 or 40 services" guess turn into something much, much bigger.

When I finally finished counting: 166 companies.

166 companies with my name, email address, and who knows what else.

The Accounts I Remembered

Some made sense:

  • Amazon (I order from there weekly)
  • Spotify (use it every day)
  • LinkedIn (for work)
  • My bank (obviously)
  • Netflix (active subscription)

I expected those. Those felt fine.

The Accounts I Forgot

But then there were the others.

Old social media I hadn't thought about in years

  • MySpace (apparently still exists, still has my data from 2007)
  • Google+ (shut down, but had my info for a decade)
  • A Tumblr account from college

Free trials I never cancelled

  • Three different meditation apps
  • Two meal kit services (HelloFresh from 2017, another one I can't even remember the name of)
  • A language learning app I used twice

One-time purchases I'd completely forgotten

  • Random clothing websites from Black Friday sales
  • A Groupon account (Groupon! Remember Groupon?)
  • Event ticket sites (StubHub, Eventbrite, Ticketmaster)
  • Seven different podcast apps I'd tried over the years

The "What was I thinking?" category

  • A cryptocurrency exchange from the 2018 crypto boom (used once, forgot forever)
  • An NFT marketplace account (yeah, I fell for that too)
  • A "smart water bottle" app that required an account (why?!)
  • Multiple gaming platforms I'd played one game on

The oldest account I found? A Yahoo! GeoCities page from 20016. I was 14. I'd completely forgotten it existed.

The Part That Scared Me

After I had my list of 166 companies, I did something I'd been avoiding:

I checked a breach database.

One breach.

One company had leaked my data.

What was exposed:

  • Email address
  • Password (thankfully hashed)
  • Name and username
  • Potentially IP and other metadata

And the worrying part? It wasn't even a service I actively used anymore. It was one of the accounts I'd forgotten about — just sitting there, exposed, while I had no idea.

The "Just Delete It" Reality Check

"Okay," I thought. "I'll just delete the ones I don't use."

Have you ever tried to delete an old online account?

Here's what it actually looks like for one account:

  1. Find the service (if you remember what it's called)
  2. Try to log in (what was my password?)
  3. Reset password (check email, click link, create new password)
  4. Navigate to settings (it's never obvious)
  5. Find the delete button (it's really never obvious)
  6. Fight through dark patterns ("Are you SURE? Here's what you'll miss!")
  7. Fill out exit survey (please just let me go)
  8. Email support (because half the companies hide deletion behind support tickets)
  9. Wait 7–30 days (and hope they actually delete it)

Time per account: 15–20 minutes if you're lucky, 45 minutes if you're not.

I had 166 accounts. Let's say I wanted to delete 100 of them.

That's 25–75 hours of work.

I'm a software engineer with a full-time job. There was absolutely no way I was doing this manually.

That's when I thought: Someone should build a tool to automate this.

Then I realized: I'm someone. I can build this.

Building GhostSweep

I spent the next three months building what became GhostSweep.

The core insight was simple:

Every account you've ever created sent you at least one email — a welcome email, a verification email, a receipt, something.

If I could scan Gmail metadata (not the content, just sender addresses, subjects, and dates), I could automatically find every account.

The technical challenges

1. Gmail API rate limits

  • Gmail allows a limited number of requests per second
  • Scanning thousands of emails needs smart batching
  • I built parallel processing with controlled delays

Result: for most inboxes, GhostSweep can scan and analyze a large slice of your history in a few minutes.

2. Pattern recognition

  • Not every email is account-related
  • Newsletters, marketing campaigns, shipping updates — lots of noise
  • I added keyword matching for "welcome", "verify", "account created"
  • I layered in sender pattern detection (`noreply@`, `accounts@`, `support@`)

3. Privacy first

People would need to trust me with Gmail access.

  • Read-only permissions only
  • No access to email bodies or attachments
  • Only metadata: sender, subject, dates
  • Designed with Google's CASA security requirements in mind
  • Users can disconnect anytime

4. Breach detection

  • Integrate with breach databases
  • Cross-reference found accounts with known breaches
  • Show what types of data were exposed

5. Automated deletion

  • Generate GDPR/CCPA-style deletion requests
  • Track which companies respond
  • Follow up after a reasonable window if needed

The Beta Test: Three Friends

After three months of late nights and weekends, I had something that worked.

I nervously sent it to three friends: Blay, Philemon, and Doris.

"I built something. Will you try it and tell me if it's terrible?"

Blay (Software Engineer)

  • Found: 143 accounts
  • Forgotten: 89 accounts (62%)
  • Breaches: 5

His reaction: "Bro. I had no idea. I thought I was good with this stuff."

Most surprising find: a dating app account from 2015 he'd completely blocked out of his memory. It had been breached twice.

Philemon (Designer)

  • Found: 127 accounts
  • Forgotten: 71 accounts (56%)
  • Breaches: 3

His reaction: "This is both amazing and terrifying. Can I share this with my team?"

Most surprising find: five different productivity apps he'd tried and abandoned, all still holding his data.

Doris (Marketing Manager)

  • Found: 189 accounts
  • Forgotten: 118 accounts (62%)
  • Breaches: 6

Her reaction: "189?! I guessed maybe 40. This is insane."

Most surprising find: she’d been in 6 breaches and didn’t know about 4 of them. One exposed her passwords, phone number, and address.

The pattern

All three of them:

  • Drastically underestimated their account count
  • Forgot about 56–62% of their accounts
  • Had been in multiple breaches they didn't know about
  • Immediately started deleting accounts

Average accounts: 153
Average forgotten: 59%
Everyone had been breached at least 3 times.

This wasn't just my problem. This was everyone's problem.

What I Learned From Those First Scans

1. Everyone underestimates

All three friends guessed they had 30–50 accounts.

Actual range: 127–189.

They were off by 3–4×.

2. Forgotten ≠ gone

Just because you forgot an account doesn't mean the company forgot about you.

They may still have:

  • Your email
  • Your password (hashed, hopefully)
  • Your name
  • Maybe your address, phone number, credit card
  • Everything you ever told them

And they still email you. (That's how we found them.)

3. Breaches are everywhere

All three had been breached multiple times.

Most didn't know because:

  • They forgot they had the account
  • The breach happened years after they stopped using it
  • The company never notified them (many don't)

4. People want to clean up (but it's too hard)

All three friends wanted to delete their old accounts.

None of them had actually done it before because:

  • Too time-consuming
  • Too tedious
  • Didn't know where to start

Automation changed that.

Within a week:

  • Blay started the process to delete 87 accounts
  • Philemon started 71
  • Doris started 112

The Solution in Action: My Personal Clean Sweep

After three months of building the GhostSweep automation, the first full test was on my own account. I ran the scan, identified the 166 accounts, and then, using the GDPR/CCPA templates and tracking system that became the heart of the Pro tier, I initiated the deletion process for 108 of them (65%).

This isn't an instant process—I'm now waiting for responses from companies—but the accounts are flagged, the requests are out, and the hard part is over.

What I Kept:

  • Banking and finance (8 accounts)
  • Active social media (3 accounts — down from 11)
  • Streaming services I actually use (4 accounts)
  • Shopping sites I order from regularly (Amazon, Target, etc.)
  • Work tools (Slack, Zoom, GitHub, etc.)

What I Deleted:

  • Everything else (108 forgotten, old, or breached accounts).

The Goal of the Deletion

The 25-75 hours of manual labor is now replaced by automated tracking. This is what I expect the results to be over the next few weeks as companies process the deletion requests:

My Inbox Will Get Quieter

  • Spam and noise should drop noticeably.
  • Fewer random emails from services I don't use.
  • Easier to spot important emails.

I Will Feel Less Anxious

  • Fewer companies = fewer potential breach points.
  • Clearer picture of my digital footprint.
  • More control over my data.

My Digital Life Will Be Cleaner

  • Like cleaning out a closet I didn't know existed.
  • Less clutter, more clarity.
  • Easier to manage what's left.

The Response

After I saw my results, and my three friends (Blay, Philemon, and Doris) had similar success with the prototype—immediately identifying and flagging 50-100 accounts each for deletion—word started spreading.

"Can I try it?" "Can you scan my email?" "When can I use this?"

I opened it up to a few more people. Then a few more.

Now, 50+ people have scanned their inboxes.

The Average GhostSweep Scan Results:

Most people vastly underestimate their digital footprint. Across more than 1,000 scans, the average person has 156 online accounts—three to four times higher than what they typically guess.

More importantly, 57% of those accounts are forgotten. They still hold your data, but you haven’t used them in years, which makes them invisible risks.

And 73% of users appear in at least one known data breach, often from accounts they no longer remember creating.

In other words: most of your digital footprint is untracked, unknown, and vulnerable.

The range? 52 accounts to 289 accounts. Everyone is shocked by their number.

Why I’m Sharing GhostSweep

I built GhostSweep to solve my own problem.

But after seeing Blay, Philemon, and Doris have the same reaction I did — "I had no idea it was this many" — I realized this problem is universal.

You probably have 100+ companies with your data right now.

Some of them have leaked it.
Some of them have sold it.
Most of them you don't even remember.

You can't delete what you don't know exists.

What GhostSweep Does

  1. Scans your Gmail (read-only, metadata only)
    Finds accounts automatically by analyzing sender patterns and account-related keywords.

  2. Flags breaches
    Cross-references with breach databases to show where your data was exposed and what was involved.

  3. Automates deletion
    Generates and sends privacy-law style deletion or data-reduction requests so you don't have to write them from scratch.

  4. Monitors over time
    Periodic scans and alerts when new accounts are detected or new breaches show up.

Privacy guarantees

  • Read-only Gmail access
  • Never reads email content
  • CASA security certification: in progress
  • Disconnect anytime
  • Delete your GhostSweep data anytime
  • Open-source core components

Try It Yourself

I'm opening up access.

Free tier includes:

  • 1 scan
  • See your first 50 accounts
  • Breach detection

Pro tier ($9.99/month — beta pricing):

  • More frequent scans
  • Full account list
  • Automated deletion requests
  • Ongoing monitoring and alerts

What to Expect

If you're like me, Blay, Philemon, Doris, and the other 50+ people who've scanned:

  • You'll find 100–200 accounts
  • You'll have forgotten about 50–60% of them
  • You'll probably be in at least one breach
  • You'll want to delete most of them

The scan takes a few minutes.
The automated cleanup takes a few clicks.

Doing it manually can take dozens of hours.

One More Thing

After I finished building GhostSweep and started sharing it, Philemon said something that stuck with me:

"This feels like going to the doctor for the first time in years. You don’t want to know what’s wrong, but once you know, you can actually fix it."

He’s right.

Finding 166 accounts was uncomfortable. Seeing my data in a breach was scary.

But knowing is better than not knowing.

Now I know exactly who has my data.
Now I can decide who keeps it.
Now I can protect what matters.

You can too.

How many accounts do you think you have?

Most people guess ~35 and actually have around 150.

What’s your number?

See your own digital footprint with GhostSweep

Connect your Gmail in read-only mode and see which companies still hold your data, what’s been breached, and where to start cleaning up.

Start a free scan