The Forgotten Accounts: Why Dormant Identities Are Every Attacker’s Favorite Target

The Forgotten Accounts: Why Dormant Identities Are Every Attacker’s Favorite Target

“Imagine leaving the spare key to your office under the doormat after an employee resigns. Months go by, nobody remembers it’s there, but it still unlocks the front door.”

It sounds unlikely.

Yet in the digital world, this happens far more often than organizations realize.

Every employee, contractor, vendor, or application that accesses your environment is assigned a digital identity. Over time, some of these identities are forgotten. Employees change roles, contractors complete projects, third-party vendors lose relevance, and legacy applications are retired.

The business moves on. But their accounts often don’t. These forgotten identities remain in the background, waiting to be discovered not by your IT team, but by attackers.

What Are Dormant Identities?

A dormant identity is any user or service account that still exists but is no longer actively required.

These accounts may belong to:

  • Former employees
  • Contractors and consultants
  • Third-party vendors
  • Shared administrative accounts
  • Legacy applications
  • Service accounts that no longer support active systems

They may appear harmless because they’re rarely used.

Unfortunately, that’s exactly what makes them valuable to attackers.

Why Attackers Love Forgotten Accounts

Breaking into an organization is difficult.

Finding an account that already has access? Much easier.

Dormant accounts often have valid credentials, established permissions, and trusted relationships within the environment. Since they generate little or no activity, unusual logins may go unnoticed for extended periods.

From an attacker’s perspective, these accounts offer a quieter path into the network than exploiting new vulnerabilities.

The Hidden Risks Behind Dormant Accounts
Former Employees

An employee leaves the organization, but their account isn’t disabled immediately.

Even if the individual has no malicious intent, the account may still provide access to email, cloud applications, VPNs, or internal systems.

Every unnecessary active account expands the organization’s attack surface.

Service Accounts

Service accounts keep applications, databases, and automated processes running.

Because they operate behind the scenes, they are often overlooked during security reviews.

Many have:

  • Elevated privileges
  • Passwords that rarely change
  • Limited monitoring
  • Broad access across multiple systems

If compromised, a service account can provide attackers with significant access while appearing to perform normal system operations.

Shared Accounts

“Just use the admin account.”

Shared accounts may seem convenient, especially during busy operational periods, but they come at a cost.

When multiple people use the same account:

  • Accountability is lost.
  • User activity becomes difficult to trace.
  • Credentials are more likely to be shared insecurely.
  • Access often continues long after it is needed.

From a governance perspective, shared accounts create unnecessary risk and reduce audit visibility.

Third-Party Accounts

Modern organizations rely on external vendors for support, maintenance, monitoring, and managed services.

These vendors often require remote access to internal systems.

Once a project ends, however, those accounts are not always reviewed or removed.

A forgotten third-party account can become an unexpected entry point into the organization, especially if the vendor itself experiences a security breach.

Identity Is the New Security Perimeter

Traditionally, organizations focused on protecting networks and endpoints.

Today, identity has become one of the most valuable assets to defend.

Attackers increasingly target identities because they provide legitimate access. Instead of exploiting technical vulnerabilities, they exploit trust.

A valid account with unnecessary permissions can often be more valuable than sophisticated malware.

Managing Identity Throughout Its Lifecycle

Effective identity security begins long before an account is created and continues long after it is no longer needed.

Organizations should regularly:

  • Review inactive accounts.
  • Disable accounts that are no longer required.
  • Remove unnecessary privileges.
  • Monitor privileged and service accounts.
  • Eliminate shared accounts wherever possible.
  • Review third-party access on a scheduled basis.
  • Align identity management with the Joiner-Mover-Leaver (JML) process.

Identity governance isn’t just about creating accounts—it’s about knowing when they should no longer exist.

Small Oversight, Big Consequences

Dormant accounts often remain active for perfectly ordinary reasons.

  • Someone forgot.
  • A project ended.
  • The contractor never returned.
  • An employee transferred to different departments.

Individually, these situations seem insignificant.

Collectively, they create opportunities that attackers actively search for.

Sometimes the biggest security risks aren’t created by sophisticated attacks—they’re created by accounts that everyone forgot were still there.

Cybersecurity isn’t only about preventing unauthorized access. It’s equally important to remove access that is no longer necessary. Dormant identities, forgotten service accounts, and outdated third-party access quietly increase organizational risk without drawing attention.

By regularly reviewing identities, enforcing strong access governance, and following the principle of least privilege, organizations can significantly reduce one of the easiest paths attackers use to gain a foothold. Because sometimes the biggest security threat isn’t the account that’s being used.It’s the one everyone forgot existed.