The forgotten account of a former employee, or how you left the keys to the company with someone who no longer works here
John left the company three months ago. He received his termination notice on Friday, HR issued his employment certificate on Monday, and by Wednesday he was already working for the competition. His Active Directory account still exists. His email inbox is receiving messages. VPN access – active, and the SharePoint folder with client offers is still open.
Does this sound familiar? How to conduct a secure IT offboarding?
Why forgotten accounts are dangerous
An active account of a former employee is a problem coming from two different directions simultaneously, and both are real.
The first direction: the former employee. Research by Beyond Identity shows that 83% of former employees admit that after leaving a company, they still logged into the accounts of their previous employer, and 56% of them admitted that they used this access to cause harm to the company. It is not exclusively about spectacular acts of sabotage. The most common forms of “revenge” are browsing other employees’ emails, copying client data, or simply using subscriptions paid for by the company. The motive is often a simple grudge—an employee who didn’t get a raise, wasn’t granted time off, or was fired under unpleasant circumstances.
The second direction: an external attacker. An inactive account with an average password and no MFA is an entry point for an outsider. Inactive accounts are a target for cybercriminals – if they are not deactivated quickly, they can be compromised and used as an entry point into the network, bypassing standard protection mechanisms.
Example: In 2022, Uber fell victim to an attack in which a hacker gained access to the company’s internal systems through the active credentials of a former contractor. Despite the contractor no longer working for Uber, their access credentials were still active. This allowed the attacker to enter the company’s infrastructure and lead to a serious security breach.
Where we most often leave the "door open" for attackers
Classic IT offboarding ends with deactivating the Active Directory account and collecting the laptop. This is definitely not enough. An employee may have access to email, the cloud, financial systems, a CRM platform, the customer database, and internal communication tools. These access points remain open – sometimes for weeks, and sometimes indefinitely.
Most frequently overlooked areas:
- Accounts in SaaS applications (Slack, Notion, Trello, Jira, HubSpot) often created without IT’s knowledge
- Shared folders in Google Drive or SharePoint where the employee was a co-owner
- External systems of contractors and partners o which the company granted access
- Shared passwords for service accounts (company social media, inboxes like “office@…”)
- API tokens and keys to systems that the employee configured independently
Checklist – what to do after ending collaboration with a team member
The good news: the problem has an inexpensive solution that requires a process rather than advanced tools.
Account deactivation should occur on the day the employee leaves. Ideally at a specific time agreed upon with the HR department, not just when IT finds the time for it.
Minimum checklist for the day of departure:
Deactivation of the AD/Azure AD account – immediately, not “by the end of the week”.
Logging out of all active sessions – especially in cloud applications.
Revoking VPN and remote desktop access.
Reviewing SaaS applications – deactivating the account in each service separately (if there is no SSO).
Changing shared passwords that the employee had access to.
Transferring ownership of files and folders to another user.
Removing from security groups and distribution lists.
Revoking API tokens generated by the employee.
If you manage an environment without a central identity and access management (IAM) system, keep a registry of applications and access rights assigned to each employee. Without this list, you won’t know when you’ve finished offboarding because you won’t know where you started.
One additional step – account auditing
Once a quarter, conduct an account audit. Review the list of active users and compare it with current employees. In any organization that has existed for more than a year and has had any staff turnover, you will find accounts whose existence no one remembers anymore.
A forgotten account is an unprotected account. And an unprotected account is an open door.
Looking to enhance your cybersecurity?
Contact us!
Leave your details – we’ll call you back
Our specialist will get back to you no later than the next business day. You don’t have to fill in the message field, but a brief note about the topic you’re interested in will be a valuable hint for us.
