Go back

How Dormant Accounts Expand Your Cloud Workspace Attack Surface

Dormant accounts pose a significant security risk by expanding the cloud workspace attack surface, necessitating a proactive, automated Identity and Access Management (IAM) approach to identify and mitigate these hidden vulnerabilities.

Identity Security
August 29, 2025
How Dormant Accounts Expand Your Cloud Workspace Attack Surface HeaderHow Dormant Accounts Expand Your Cloud Workspace Attack Surface Thumbnail
author
Material Security Team
share

In any bustling digital environment, some user accounts inevitably fall into disuse. These dormant accounts—belonging to former employees, temporary contractors, or retired applications—often fade into the background of your IT infrastructure. However, far from being harmless, these forgotten digital identities are a significant and growing security risk. They act as unlocked, unmonitored backdoors into your cloud workspace, dramatically expanding your attack surface. With attackers actively seeking these weak points, understanding and managing dormant accounts is no longer just good housekeeping; it's a critical component of modern Identity and Access Management (IAM).

The Hidden Population of Dormant Accounts

The problem of dormant accounts is far more widespread than most organizations realize. They are the digital equivalent of leaving the keys to your old apartment on the welcome mat long after you've moved out. While you've forgotten about them, someone else is bound to find them.

Why Do So Many Dormant Accounts Exist?

Dormant accounts accumulate for several common reasons, often as a byproduct of normal business operations. Incomplete offboarding processes are a primary culprit. When an employee or contractor leaves, their account may be disabled but not fully deprovisioned, leaving access privileges intact. Other sources include:

  • Service Accounts: Created for applications, integrations, or automated processes that are later decommissioned.
  • Temporary Project Access: Granted for short-term projects but never revoked upon completion.
  • Test Accounts: Created for development or testing and then abandoned.

The scale is significant. On average, 1 in 8 employee accounts in a typical organization is dormant. The problem is even more pronounced with non-human identities. For every human user in an organization, there can be as many as 40 service accounts, many of which are undocumented and forgotten.

The "Out of Sight, Out of Mind" Problem

These accounts are particularly dangerous because they are invisible to day-to-day security monitoring. Since there's no legitimate activity, security teams have no baseline to detect when one is suddenly compromised and used for malicious purposes. A recent report found that 88% of organizations have "ghost users"—stale but enabled accounts that retain access to sensitive data.

Attackers don't need to break down the front door if you've left a side window open. Dormant accounts are that open window, often with a direct line of sight to your most valuable assets.

Legacy security tools often struggle to identify and manage these threats, as an attacker can activate a dormant account, achieve their objective, and disappear, leaving little trace of their activity.

How Dormant Accounts Create Security Nightmares

A dormant account isn't just a passive risk; it's an active vulnerability waiting to be exploited. Attackers specifically hunt for these accounts because they provide an easy, low-resistance path into a network.

Unauthorized Access and Privilege Escalation

Dormant accounts are a "bad actor's best friend". They often suffer from poor security hygiene, such as weak or reused passwords that may have been exposed in other breaches. Crucially, they almost never have multi-factor authentication (MFA) enabled, making it trivial to compromise with a valid credential.

High-profile breaches have been traced directly back to this vulnerability:

  • Microsoft: The "Midnight Blizzard" attack involved the compromise of a dormant, non-production test account that lacked MFA.
  • Drizly: An attacker gained access to corporate credentials from a dormant GitHub account, leading to a major data breach.

Once inside, an attacker can use the dormant account's existing permissions to move laterally, escalate privileges, and access sensitive systems and data, all while appearing as a legitimate, albeit inactive, user. Research shows that a significant proportion of successful breaches leverage compromised identity credentials, with dormant accounts being a prime target.

The Danger of Stale, Excessive Permissions

The principle of least privilege (PoLP) dictates that users should only have the minimum access required to perform their jobs. Dormant accounts are a direct violation of this principle. An account for a former domain administrator, for example, retains those powerful permissions indefinitely unless they are actively removed.

This creates a massive pool of unnecessary risk. One study of Microsoft cloud environments found that while only 2% of assigned permissions were actively used, 50% of all permissions were classified as high-risk, meaning they could be used to access or destroy data. A compromised dormant account with these stale, high-risk permissions can lead directly to data exfiltration, system disruption, or ransomware deployment.

Compliance and Auditing Headaches

Beyond the direct security threats, dormant accounts create significant challenges for regulatory compliance and incident response. Regulations like GDPR, SOX, and HIPAA require strict controls over who can access sensitive data. The existence of unmonitored, over-privileged accounts is a clear violation that can lead to failed audits and hefty fines.

Furthermore, if a breach does occur, dormant accounts muddy the waters for investigators. They obscure audit trails and make it difficult to determine who was responsible for malicious activity, hindering remediation and accountability efforts.

Taking Control: A Modern Approach to IAM

Addressing the threat of dormant accounts requires moving beyond manual, periodic cleanups. You need a proactive, automated approach to Identity and Access Management that is built for the dynamic nature of modern cloud workspaces.

Implement a Lifecycle Management Policy

The first step is to establish a clear policy for the entire lifecycle of an identity, from creation to deprovisioning.

  • Automated Deprovisioning: Integrate your HR systems with your IAM platform to automatically disable and deprovision accounts when an employee or contractor departs. While many organizations claim to have automated offboarding, data shows significant gaps, with many dormant accounts retaining access and even admin privileges.
  • Regular Access Reviews: Implement a process for periodic reviews of all user accounts, especially those with privileged access. This ensures that permissions stay aligned with current job roles and that inactive accounts are identified and handled.
  • Time-Bound Access: For temporary projects or third-party access, grant permissions that automatically expire after a set period.

Enforce the Principle of Least Privilege (PoLP)

Diligently apply PoLP to all accounts, both human and non-human. By ensuring accounts only have the permissions they absolutely need, you dramatically reduce the potential damage if one is compromised. This means regularly auditing not just what accounts exist, but what they can do.

Leverage Modern Tooling for Visibility and Response

Legacy security tools are not equipped to manage the scale and complexity of identities in cloud environments like Google Workspace and Microsoft 365. You need a solution that provides deep visibility and automated response capabilities.

Platforms like Material Security are designed to close these critical IAM gaps. By continuously monitoring your cloud environment, Material can automatically identify risky configurations, including dormant accounts with excessive permissions to sensitive data. It provides the visibility needed to see which accounts are inactive and what they can access, and offers automated workflows to remediate these risks by removing unnecessary access without disrupting business operations. This modern approach to IAM helps you move from a reactive cleanup model to a proactive security posture.

Secure Your Cloud Identities

Dormant accounts are more than just digital clutter; they are a critical vulnerability that attackers are actively exploiting. Leaving them unmanaged is an invitation for a breach. By implementing a robust IAM strategy that includes automated lifecycle management, least privilege enforcement, and continuous monitoring, you can eliminate these hidden threats and significantly strengthen your security posture.

Take the first step toward securing your cloud workspace. Discover how Material Security provides the detection and response capabilities needed to find and fix identity-based risks in your Microsoft 365 and Google Workspace environments.

Related posts

Our blog is your destination for expert insights, practical tips, and the latest news in technology. Stay informed with our regular updates and in-depth articles. Join the conversation and enhance your understanding of the tech landscape.

blog post

Hack Week 2025 Recap

Our annual Hack Week brings together cross-functional teams to rapidly prototype creative ideas, inspired by customer insights, that improve our product and foster collaboration, innovation, and team bonding.

Abhishek Agrawal
3
m read
Read post
Podcast

Hack Week 2025 Recap

Our annual Hack Week brings together cross-functional teams to rapidly prototype creative ideas, inspired by customer insights, that improve our product and foster collaboration, innovation, and team bonding.

3
m listen
Listen to episode
Video

Hack Week 2025 Recap

Our annual Hack Week brings together cross-functional teams to rapidly prototype creative ideas, inspired by customer insights, that improve our product and foster collaboration, innovation, and team bonding.

3
m watch
Watch video
Downloads

Hack Week 2025 Recap

Our annual Hack Week brings together cross-functional teams to rapidly prototype creative ideas, inspired by customer insights, that improve our product and foster collaboration, innovation, and team bonding.

3
m listen
Watch video
Webinar

Hack Week 2025 Recap

Our annual Hack Week brings together cross-functional teams to rapidly prototype creative ideas, inspired by customer insights, that improve our product and foster collaboration, innovation, and team bonding.

3
m listen
Listen episode
blog post

Solidifying Security Culture Empowers Your First Line of Defense

A strong security culture is easy to talk about but hard to achieve. Making sure your tech stack and your processes support your people is a critical first step.

Nate Abbott
4
m read
Read post
Podcast

Solidifying Security Culture Empowers Your First Line of Defense

A strong security culture is easy to talk about but hard to achieve. Making sure your tech stack and your processes support your people is a critical first step.

4
m listen
Listen to episode
Video

Solidifying Security Culture Empowers Your First Line of Defense

A strong security culture is easy to talk about but hard to achieve. Making sure your tech stack and your processes support your people is a critical first step.

4
m watch
Watch video
Downloads

Solidifying Security Culture Empowers Your First Line of Defense

A strong security culture is easy to talk about but hard to achieve. Making sure your tech stack and your processes support your people is a critical first step.

4
m listen
Watch video
Webinar

Solidifying Security Culture Empowers Your First Line of Defense

A strong security culture is easy to talk about but hard to achieve. Making sure your tech stack and your processes support your people is a critical first step.

4
m listen
Listen episode
blog post

Beyond the Inbox: Unifying Cloud Workspace Security

Material offers a modern, comprehensive strategy that unifies cloud workspace protection across email, files, and user accounts. The platform leverages the rich APIs and audit logs available in Google Workspace and Microsoft 365 to create a cohesive security solution that connects the dots between what traditional point solutions often miss.

Material Security Team
12
m read
Read post
Podcast

Beyond the Inbox: Unifying Cloud Workspace Security

Material offers a modern, comprehensive strategy that unifies cloud workspace protection across email, files, and user accounts. The platform leverages the rich APIs and audit logs available in Google Workspace and Microsoft 365 to create a cohesive security solution that connects the dots between what traditional point solutions often miss.

12
m listen
Listen to episode
Video

Beyond the Inbox: Unifying Cloud Workspace Security

Material offers a modern, comprehensive strategy that unifies cloud workspace protection across email, files, and user accounts. The platform leverages the rich APIs and audit logs available in Google Workspace and Microsoft 365 to create a cohesive security solution that connects the dots between what traditional point solutions often miss.

12
m watch
Watch video
Downloads

Beyond the Inbox: Unifying Cloud Workspace Security

Material offers a modern, comprehensive strategy that unifies cloud workspace protection across email, files, and user accounts. The platform leverages the rich APIs and audit logs available in Google Workspace and Microsoft 365 to create a cohesive security solution that connects the dots between what traditional point solutions often miss.

12
m listen
Watch video
Webinar

Beyond the Inbox: Unifying Cloud Workspace Security

Material offers a modern, comprehensive strategy that unifies cloud workspace protection across email, files, and user accounts. The platform leverages the rich APIs and audit logs available in Google Workspace and Microsoft 365 to create a cohesive security solution that connects the dots between what traditional point solutions often miss.

12
m listen
Listen episode
blog post

Defusing Email Bomb Attacks with Material Security

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

Nate Abbott
5
m read
Read post
Podcast

Defusing Email Bomb Attacks with Material Security

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

5
m listen
Listen to episode
Video

Defusing Email Bomb Attacks with Material Security

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

5
m watch
Watch video
Downloads

Defusing Email Bomb Attacks with Material Security

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

5
m listen
Watch video
Webinar

Defusing Email Bomb Attacks with Material Security

Material delivers a new solution to a resurgent threat: automated remediations to email flooding attacks.

5
m listen
Listen episode
Privacy Preference Center

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.