You may not remember your Myspace account—the early aughts were a while ago—but it remembers you. So does your LinkedIn account, even though you haven’t logged into it since you were desperately casting about for a job after college. Those retail-website accounts that promised 15 percent discounts? They haven’t forgotten, either.

The internet is in a constant state of flux. Websites come and go, logos are redesigned, and advertisers find new ways to track people. Even the pages that appear most set in stone—like, say, a Pulitzer-finalist series of investigative journalism—may one day disappear. “Link rot” has riddled blogs, news websites, and even the Supreme Court with dead links.

Despite this online transience, one type of data does have a deceptively long lifespan. User information—usernames, passwords, profiles, and related personal data—can endure for years, in part because it’s commercially valuable for companies to hang onto it.

And those details can survive even long after a website changes ownership or goes dark. That means that a social-network or shopping-website account you created as long as a decade ago can still come back to haunt you.

This week, Myspace confirmed that a hacker stole a chunk of accounts in June 2013, and that those accounts are now being sold on a deep-web forum. According to LeakedSource, a website that obtained the leaked user info, more than 360 million accounts were compromised.