Dormant Accounts: Why 38% of Your User List is a Security Liability
Dormant Accounts: Why 38% of Your User List is a Security Liability
Dormant Accounts: Why 38% of Your User List is a Security Liability
Imagine a secure office building where 38% of the access badges issued belong to people who haven't entered the building in six months. Some have quit, some have changed jobs, and some badges were just printed and forgotten.
Now, imagine that any one of those badges could still open the front door.
This sounds absurd in the physical world, but in the digital world, it is the norm. At Cydenti, our analysis of enterprise environments consistently reveals that roughly **38% of user accounts are dormant**.
What is a Dormant Account?
A dormant account is an identity (human or machine) that has not been used for a significant period—typically 90 days or more.
They come from:
**Former Employees:** Offboarding processes that disabled their Active Directory account but missed their Salesforce or AWS login.
**Contractors:** Temporary access granted for a project that ended, but the account was never disabled.
**Test Accounts:** Created by developers for a specific feature and then abandoned.
**Legacy Systems:** Service accounts for applications that were decommissioned years ago.
The "Silent" Threat
Dormant accounts are a favorite target for attackers for one simple reason: **Silence**.
If an attacker compromises an *active* employee's account, the employee might notice weird behavior ("Why can't I log in?" or "I didn't send that email").
But if an attacker compromises a *dormant* account, no one notices. There is no user to complain. The attacker can quietly use this foothold to explore the network, escalate privileges, and steal data, often dwelling undetected for months.
The Cleanup Challenge
Why do companies let this happen? Fear of breaking things.
"I don't know what this service account does, so I'd better not delete it."
"What if that contractor comes back next week?"
This hesitation leads to **Identity Hoarding**, where the directory becomes a graveyard of digital ghosts.
How to Exorcise the Ghosts
Cleaning up dormant accounts is one of the highest-ROI security activities you can undertake.
**Define "Dormant":** Set a policy. Is it 30 days? 60? 90? Stick to it.
**Automated Detection:** Use tools that continuously scan login logs across *all* systems (not just your IdP) to identify inactivity.
**The "Scream Test" (Safely):** Instead of deleting an account immediately, disable it. If no one "screams" (complains) after 30 days, archive and delete it.
**Just-in-Time Access:** Prevent future dormancy by granting access only for the duration it's needed.
Conclusion
That 38% figure represents pure, unmitigated risk with zero business value. Every dormant account you remove is a door you've locked and a potential breach you've prevented.
Don't let your user list become a liability. Start the cleanup today.