The bad actor’s best friend: Dormant service accounts

Dormant accounts, also known as inactive accounts, are accounts that haven’t been used or updated in at least 90 days. This extended period of inactivity gives them their “dormant” classification. 

Since these accounts are not being actively used, it’s common for application owners not to know they exist. The lack of knowledge can be attributed to the fact that these accounts aren’t being accessed or updated, meaning they don’t appear in system logs or trigger any security alerts. They go unnoticed and essentially become invisible within the system, slipping under the radar. Inactive accounts are a hotbed of opportunity for attackers, even more so if accounts remain dormant for long periods of time. 

An attacker can leverage the inactivity to their advantage, as the account’s lack of use means that any unauthorized activities are less likely to be noticed immediately. This provides a window of opportunity for nefarious activities to go undetected, making dormant accounts a significant security risk an attacker can easily take advantage of.

Risks involved with dormant accounts

A dormant account’s biggest weakness is the age of its password, and because credential reuse (specifically passwords) is a widespread issue, cybercriminals look for these signs to attack. Password reuse is the number one enabler of breaches. This essential security issue can be found across all companies, from the smallest organizations to multi-billion dollar corporations employing some of the brightest minds in the world. 

Let’s consider the tech giant, Microsoft. In January of 2024, Microsoft detected a significant breach within its internal systems. The perpetrators of this breach zeroed in on a non-production administrator account, which was specifically used for testing. By deploying a password spray attack, they were able to crack the account’s weak password. The absence of multi-factor authentication (MFA) on this account provided an unobstructed path for the attacker to log in. 

Once the attacker had infiltrated the system, they had access to a wealth of sensitive information. Emails and valuable data pertaining to high-ranking Microsoft leadership and their cybersecurity and legal teams were now at the attacker’s disposal. 

One month later, in February of 2024, Tangerine, the Australian telecom company, announced that they had suffered a cyberattack, which resulted in the loss of 232,000 customers’ personal data. This data encompassed a wide range of sensitive information, such as names, email addresses, birth dates and account numbers. 

According to Tangerine, the root cause of this devastating breach was a “legacy customer base” accessed by “login credentials of a single user engaged by Tangerine on a contract basis.”

In both of these massive companies, the underlying cause of the breach was the same: dormant accounts with weak passwords.

What can organizations do? 

The first step in protecting dormant accounts is being able to discover them in the organization’s environment. Leveraging a dynamic identity vulnerability solution that discovers and monitors all accounts and their access chains can help reveal dormant accounts in systems that are being improperly managed or used. 

Once they are revealed, organizations should deactivate or delete accounts that do not serve a current business function. Then, they should take the time to establish a strong password policy.

While preventing users from reusing their passwords can be challenging, accounts can be configured to rotate passwords every 90 days or automatically “lock” if they go unused after a certain period of time. 

To further impede attacks like spraying, stuffing and brute force attacks, it is advisable to implement a password complexity requirement, which makes the password less susceptible to guessing. 

Finally, multi-factor authentication (MFA) should be enabled for every account. This will prevent attackers from accessing the account even if they guess (or know) the password. 

Robust security posture requires robust identity security tools 

Dormant accounts remain a significant risk to organizations of all sizes and are low-hanging fruit for attackers, providing an easy, often overlooked entry point. Couple their nature as prime targets with detrimental practices such as password reuse and the non-implementation of MFA, and these accounts become the epicenter of security risks. 

Fortunately, there are identity vulnerability solutions that help to discover all dormant accounts easily and monitor environments for them. These solutions can track password rotation to ensure all accounts are complying with password policies, protecting an organization from an easily avoidable attack.