Dormant Credentials and Ghost Accounts: Why Former Employees Are a Top Attack Vector in 2025

Dormant credentials left behind by former employees are one of the most consistent, least-glamorous, and most preventable entry points attackers use against small businesses today. No zero-day exploit required. No nation-state budget. Just patience and a username-password pair nobody remembered to delete. The FBI’s 2023 Internet Crime Complaint Center (IC3) report recorded $12.5 billion in total cybercrime losses across the United States, and credential-based intrusions sit at the center of how the majority of those incidents began. This post maps the problem from raw data to the specific offboarding gaps that create it – and closes with a practical defense posture any business can act on today.

1. The Numbers Behind Credential-Based Intrusions
2. The Anatomy of a Ghost Account
3. Where Stale Credentials Hide in a Small Business Environment
4. Real-World Examples and Public Breach Data
5. Why Small Businesses Are Disproportionately Exposed
6. The Defense Posture That Closes the Gap
7. What to Ask Your IT Firm Right Now

The Numbers Behind Dormant Credentials and Credential-Based Intrusions

The Verizon 2024 Data Breach Investigations Report analyzed 30,458 security incidents and confirmed 10,626 breaches. Stolen or misused credentials were the number-one action type across all incident patterns for the third consecutive year. That is not a trend. That is a structural feature of the threat environment – one that does not change unless businesses deliberately change their posture.

CISA’s Known Exploited Vulnerabilities catalog and its advisory library tell the same story. A significant share of the joint advisories published by CISA, the FBI, and the NSA over the past two years cite valid account misuse as either the initial access technique or the lateral movement technique in confirmed intrusions. The MITRE ATT&CK framework classifies this as technique T1078, “Valid Accounts,” and it consistently ranks among the top five techniques observed in real-world incidents across every industry.

What the data rarely surfaces cleanly is how many of those “valid accounts” belonged to people who no longer work at the targeted organization. When researchers at Beyond Identity surveyed IT and security professionals in 2023, 56 percent reported that former employees still had active access to company systems after their departure. More than half of organizations are, at any given moment, running with unlocked doors left open by people who no longer work there.

The Anatomy of a Ghost Account

A ghost account is any user account that remains active after the person it belongs to no longer has a legitimate business reason to access that system. Ghost accounts are born from offboarding failures – not malice by the departing employee, but process breakdowns inside the business.

The lifecycle typically looks like this:

• An employee gives two weeks’ notice, gets terminated, or simply stops showing up.
• HR notifies payroll and maybe the direct manager.
• No formal IT offboarding checklist exists, or the checklist is incomplete.
• The primary company email account gets disabled – sometimes.
• Every other account – the CRM login, cloud file storage, project management tool, remote access credentials, line-of-business application, the admin panel for the company website – stays active, indefinitely.

Months later, that former employee’s dormant credentials surface in a data breach at a third-party service they used. The credentials get sold on a dark web forum for a few dollars. An attacker purchases them, tests them against the former employer’s systems using automated credential-stuffing tools, and finds the account still works. They are now inside a business they have never physically touched.

Where Dormant Credentials and Stale Credentials Hide in a Small Business Environment

The problem is not confined to one platform. Stale credentials accumulate across every layer of a small business’s technology stack – and most businesses have far more of that stack than they realize.

Cloud productivity platforms – Microsoft 365 and Google Workspace accounts are often the first thing IT thinks about during offboarding. But shared mailboxes, distribution lists, and guest accounts tied to former employees frequently get missed. A former employee with active guest access to a SharePoint site has read access to everything that site contains.

Line-of-business applications – Accounting software, CRM platforms, HR systems, project management tools, and industry-specific applications almost always manage their own user directories. When a business uses a centralized identity provider, this is less of a problem. Most small businesses do not. Each application is its own island of credentials, and dormant credentials pile up independently in every one.

Remote access infrastructure – VPN accounts, remote desktop gateways, and browser-based remote access tools are among the highest-risk ghost account locations because they grant a direct path into the internal network. A 2023 Mandiant analysis found that attackers most commonly achieved initial access through remote services using valid accounts. A former IT contractor with an active VPN profile is a standing invitation.

Administrative and privileged accounts – These are the most dangerous ghost accounts in any environment. A former IT employee, system administrator, or operations manager who held elevated privileges – in network infrastructure, firewalls, or server environments – is a critical risk if those privileges were not revoked immediately. Privileged accounts can disable logging, create new accounts, and move laterally without triggering standard alerting thresholds.

Multi-factor authentication registrations – When a former employee’s account is not fully deprovisioned, the authenticator device registration may still be active. If the former employee kept the registered device, they can authenticate even if the password was changed – because the session token or device trust persists independently.

Shared credentials and service accounts – Small businesses frequently create shared logins for tools that do not support individual user accounts. When the person who managed a shared account leaves, the credential rarely changes. Former employees retain functional access indefinitely, and those shared dormant credentials are among the hardest to detect and remediate.

Real-World Examples and Public Breach Data

Public breach disclosures show a clear pattern. The specifics change; the mechanism repeats.

• In 2021, a former employee of a Florida water treatment facility used remote access software that had not been removed after their departure to access the plant’s control systems. The attacker briefly altered chemical levels before an on-site operator intervened. The access path was a dormant remote access credential that had never been revoked.
• The Okta breach in 2022 involved access to a support system through a credential belonging to a customer support engineer. While not a classic “former employee” case, it showed how a single valid credential with access to a customer-facing support tool can expose hundreds of downstream organizations – a systemic risk that scales dramatically when credentials are not lifecycle-managed.
• The Verkada camera system breach in 2021 was enabled in part through a “super admin” account with access to over 150,000 security cameras. Elevated administrative credentials without strong lifecycle controls are a recurring theme across public breach disclosures of this type.
• A 2022 case documented by the FBI’s cyber division involved a former employee of a New Jersey-based credit union who accessed the organization’s network after termination and deleted more than 21 gigabytes of data, including mortgage loan applications. The former employee used their personal laptop. The dormant credentials had never been deprovisioned.

The FBI IC3’s 2023 report recorded 21,489 complaints related to business email compromise, many involving unauthorized access to email accounts through valid credentials. Former employee accounts in Microsoft 365 or Google Workspace without multi-factor authentication are a direct pipeline to that type of attack.

Why Small Businesses Are Disproportionately Exposed to Ghost Accounts

Enterprise organizations have dedicated identity governance teams, automated provisioning and deprovisioning workflows, and regular access reviews built into their compliance programs. Small businesses – especially those under 100 employees – rarely have any of that.

The typical small business technology environment is assembled over time as the company grows. Each new tool gets a new set of credentials. No one builds a centralized identity layer because the cost and complexity seemed unnecessary at 10 employees. By the time the company reaches 30 or 50 employees, credential sprawl is significant and no one has a complete picture of where all the accounts live.

Turnover compounds the problem. The average U.S. employee tenure at a small business is under four years. A company with 40 employees has likely cycled through 50 or more people over a five-year span. If each departure left even two or three active dormant credentials behind, the ghost account population is in the dozens. Attackers who obtain a list of former employee email addresses – often available through LinkedIn or old press releases – have a ready-made target list for credential-stuffing and phishing campaigns.

Small businesses also tend to grant broader permissions than necessary because formal role-based access controls take time to implement and maintain. A former office manager may have held administrative access to the accounting system, edit rights on company cloud storage, and a VPN account – all of which remain active attack surface until explicitly revoked.

The Defense Posture That Closes the Dormant Credentials Gap

This is a solvable problem. Unlike advanced persistent threats that exploit novel vulnerabilities, ghost account exposure is addressed almost entirely through process discipline and the right technology controls. The following posture, applied consistently, eliminates the majority of the risk.

Centralized identity management. Every user account in every system should be tied to a single identity provider. Microsoft Entra ID (formerly Azure AD) and Google Workspace both serve this function for small businesses. When an account is disabled in the identity provider, access to every connected application terminates automatically. This only works if applications are integrated with the identity provider – which requires deliberate configuration for each platform.

A formal, documented offboarding checklist. HR and IT must operate from the same checklist at the moment of every departure – planned or otherwise. The checklist must cover email, cloud storage, remote access tools, line-of-business applications, administrative panels, multi-factor authentication device registrations, and any shared credentials the employee managed. It is not optional, and it must be signed off by a responsible party for every departure.

Privileged account review on a fixed schedule. Administrative and elevated accounts should be audited at minimum quarterly. The question each review must answer: does every person on this list still work here, and do they still need this level of access? Privileged accounts should be the shortest-lived and most tightly controlled credentials in any environment.

Multi-factor authentication on every account, without exception. CISA designates multi-factor authentication as one of its top security controls for a reason. An attacker who obtains a valid credential cannot use it if the account requires a second factor tied to a device the attacker does not control. This applies to email, VPN, remote access tools, and every other system that supports it.

Periodic access reviews across all platforms. Even with a strong identity provider integration, access reviews catch what automation misses – SaaS applications that do not federate cleanly, shared accounts, external vendor portals, and legacy tools that accumulate stale access over time. A quarterly review does not need to be a major project. It is a structured walk through every platform with one question: who has access, and should they?

Logging and alerting on dormant credential activity. Any account that has not been used in 30 or more days and then suddenly authenticates is a detection opportunity. Logging authentication events and alerting on anomalous patterns – dormant credentials activating, off-hours logins from unfamiliar locations, accounts authenticating from new devices – allows a business to catch credential misuse before significant damage occurs. This capability exists in Microsoft 365 and Google Workspace at no additional cost. It simply needs to be configured and monitored.

For businesses that want to go deeper, the NIST Cybersecurity Framework and CISA’s cybersecurity resources both address identity and access management as a foundational control domain. The investment required to implement these controls at the small business level is modest compared to the cost of a single confirmed intrusion through a ghost account. A strong foundation here also supports broader cybersecurity program maturity across the organization. Learn more about how our managed IT services enforce identity lifecycle management for clients of every size.

What to Ask Your IT Firm Right Now

If you work with an external IT firm – or are evaluating one – these questions will tell you exactly how seriously they approach identity lifecycle management for dormant credentials and ghost accounts.

• Do you have a formal offboarding checklist, and do you run it for every departure – not just planned ones?
• Which of our applications are integrated with our identity provider for automated deprovisioning, and which ones are not?
• When did we last audit privileged and administrative accounts against current staff?
• Are all remote access accounts protected by multi-factor authentication with no exceptions?
• Are we logging authentication events, and is anyone actively reviewing those logs and acting on anomalies?
• Do we have a complete inventory of every application in use – including tools individual departments may have adopted without IT involvement?

An IT firm that cannot answer these questions with specificity is not managing your identity posture. Vague assurances are not sufficient. The threat posed by dormant credentials is not hypothetical – it is documented in thousands of confirmed breach disclosures and in the FBI’s own annual reporting. The businesses that get ahead of it do so by demanding process discipline from their IT providers and building offboarding rigor into their operations before a departure creates a ghost account that outlasts the person who left.

Ghost accounts are quiet. The damage they enable is not. A former employee whose access was never revoked does not announce themselves when an attacker picks up their dormant credentials. The intrusion begins silently – months or years after the departure, in a system no one thought to check. That is precisely why closing this gap requires deliberate action now, not after the first alert fires.

If you want a clear picture of where your ghost accounts and stale credentials actually live, Book a Free Cybersecurity Strategy Call. We will walk through your identity posture, identify the gaps, and tell you exactly what needs to close – no obligation, no pressure.