Inactive accounts pose significant account takeover security risks

Inactive accounts pose significant account takeover security risks

Inactive accounts that haven’t been accessed for extended periods are more likely to be compromised due to password reuse and lack of multifactor authentication.

Credit: Dreamstime

Inactive and non-maintained accounts pose significant security risks to users and businesses, with cybercriminals adept at using information stolen from forgotten or otherwise non-upheld accounts to exploit active accounts.

That’s according to Okta’s first Customer Identity Trends Report which surveyed more than 20,000 consumers in 14 countries about their online experiences and attitudes towards digital security and identity.

It found that increasing identity sprawl can trigger significant account takeover (ATO) security risks due to accounts that haven’t been used or even thought about in years, particularly if customers reuse (or only slightly alter) passwords or do not perform security reviews.

A breach to any service may equip a threat actor with a huge volume of user credentials and associated personal data, with attackers adept at using this information at scale to compromise active accounts including important business accounts and networks.

The report came after Google announced that it is updating its inactivity policy for Google Accounts to two years, meaning that if a personal account has not been used or signed into for at least two years, it may delete the account and its contents.

This includes content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar) and Google Photos, with the new rules coming into force no earlier than December 2023, the firm said.

Account sprawl a contributing factor to inactive account risks

The sheer volume at which new accounts are set up creates notable account churn – a sprawl-like concept where newer accounts “retire” others without adding to a user’s collection of active accounts. The older accounts are not deleted but often become unused and forgotten, sometimes for years.

This proliferation of accounts is most prevalent among younger users, but significant across most age groups, according to Okta’s report. The estimated number of new online accounts registered in the last three months by 18- to 29-year-olds is just over 40, dropping slightly to 35 and 34 for those aged 30-39 and 40-49, respectively. Those aged 60 and over are estimated to have set up around 20 new accounts in the last three months.

A significant challenge of account churn is the ability to securely manage and maintain digital footprints across large numbers of accounts.

Okta’s report found that 71% of respondents are aware that their online activities leave a data trail, but only 44% take steps to mitigate it.

Password management appears to be a particular sticking point, with 63% of respondents reporting that they’re unable to log in to an account because they forgot their username or password at least once a month, the report said.

While password resets are usually possible, users might decide that the process is simply not worth the effort, leading to more account inactivity. Only 52% of respondents reported that they still have access to all their accounts, while just 42% use different passwords for each account and only 29% regularly review/change account privacy settings.

Inactive accounts less likely to use MFA, receive security checks

Inactive accounts that haven’t been accessed for extended periods of time are more likely to be compromised, according to Google. “This is because forgotten or unattended accounts often rely on old or re-used passwords that may have been compromised, haven’t had two-factor (2FA) authentication set up, and receive fewer security checks by the user,” the firm added.

In fact, abandoned accounts are at least ten-times less likely than active accounts to have 2FA set up, Google said. This makes these accounts particularly vulnerable, and once an account is compromised, they can be used for anything from identity theft to a vector for unwanted or even malicious content, like spam.

Cybercriminals prioritising stolen credentials to enhance attacks

More than 80% of breaches involving attacks against web applications can be attributed to stolen credentials, according to the Verizon 2022 Data Breach Investigations Report.

Cybercriminals are prioritising stolen credentials to enhance attacks and bypass security measures, even demonstrating a willingness to shift away from malware in favour of credential abuse to facilitate access and persistence in victim environments.

This trend has also created clear demand for access broker services – criminal groups that sell stolen access credentials. There was a 112% year-over-year increase in advertisements for access broker services identified last year compared to 2021, with more than 2,500 advertisements for access detected across the criminal underground, according to the CrowdStrike 2023 Global Threat Report.

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.


EDGE 2024

Register your interest now for EDGE 2024!



How MSPs can capitalise on integrating AI into existing services

How MSPs can capitalise on integrating AI into existing services

​Given the pace of change, scale of digitalisation and evolution of generative AI, partners must get ahead of the trends to capture the best use of innovative AI solutions to develop new service opportunities. For MSPs, integrating AI capabilities into existing service portfolios can unlock enhancements in key areas including managed hosting, cloud computing and data centre management. This exclusive Reseller News roundtable in association with rhipe, a Crayon company and VMware, focused on how partners can integrate generative AI solutions into existing service offerings and unlocking new revenue streams.

How MSPs can capitalise on integrating AI into existing services
Access4 holds inaugural A/NZ Annual Conference

Access4 holds inaugural A/NZ Annual Conference

​Access4 held its inaugural Annual Conference in Port Douglass, Queensland, for Australia and New Zealand from 9-11 October, hosting partners from across the region with presentations on Access4 product updates, its 2023 Partner of the Year awards and more.

Access4 holds inaugural A/NZ Annual Conference
Show Comments