• United States



UK Editor

Inactive accounts pose significant account takeover security risks

May 25, 20234 mins
AuthenticationIdentity and Access ManagementPasswords

Inactive accounts that haven’t been accessed for extended periods are more likely to be compromised due to password reuse and lack of multifactor authentication.

Person holding phone near a laptop while getting two-factor authentication info

Inactive and non-maintained accounts pose significant security risks to users and businesses, with cybercriminals adept at using information stolen from forgotten or otherwise non-upheld accounts to exploit active accounts. That’s according to Okta’s first Customer Identity Trends Report which surveyed more than 20,000 consumers in 14 countries about their online experiences and attitudes towards digital security and identity.

It found that increasing identity sprawl can trigger significant account takeover (ATO) security risks due to accounts that haven’t been used or even thought about in years, particularly if customers reuse (or only slightly alter) passwords or do not perform security reviews. A breach to any service may equip a threat actor with a huge volume of user credentials and associated personal data, with attackers adept at using this information at scale to compromise active accounts including important business accounts and networks.

The report came after Google announced that it is updating its inactivity policy for Google Accounts to two years, meaning that if a personal account has not been used or signed into for at least two years, it may delete the account and its contents. This includes content within Google Workspace (Gmail, Docs, Drive, Meet, Calendar) and Google Photos, with the new rules coming into force no earlier than December 2023, the firm said.

Account sprawl a contributing factor to inactive account risks

The sheer volume at which new accounts are set up creates notable account churn – a sprawl-like concept where newer accounts “retire” others without adding to a user’s collection of active accounts. The older accounts are not deleted but often become unused and forgotten, sometimes for years. This proliferation of accounts is most prevalent among younger users, but significant across most age groups, according to Okta’s report. The estimated number of new online accounts registered in the last three months by 18- to 29-year-olds is just over 40, dropping slightly to 35 and 34 for those aged 30-39 and 40-49, respectively. Those aged 60 and over are estimated to have set up around 20 new accounts in the last three months.

A significant challenge of account churn is the ability to securely manage and maintain digital footprints across large numbers of accounts. Okta’s report found that 71% of respondents are aware that their online activities leave a data trail, but only 44% take steps to mitigate it. Password management appears to be a particular sticking point, with 63% of respondents reporting that they’re unable to log in to an account because they forgot their username or password at least once a month, the report said. While password resets are usually possible, users might decide that the process is simply not worth the effort, leading to more account inactivity. Only 52% of respondents reported that they still have access to all their accounts, while just 42% use different passwords for each account and only 29% regularly review/change account privacy settings.

Inactive accounts less likely to use MFA, receive security checks

Inactive accounts that haven’t been accessed for extended periods of time are more likely to be compromised, according to Google. “This is because forgotten or unattended accounts often rely on old or re-used passwords that may have been compromised, haven’t had two-factor (2FA) authentication set up, and receive fewer security checks by the user,” the firm added.

In fact, abandoned accounts are at least ten-times less likely than active accounts to have 2FA set up, Google said. This makes these accounts particularly vulnerable, and once an account is compromised, they can be used for anything from identity theft to a vector for unwanted or even malicious content, like spam.

Cybercriminals prioritizing stolen credentials to enhance attacks

More than 80% of breaches involving attacks against web applications can be attributed to stolen credentials, according to the Verizon 2022 Data Breach Investigations Report. Cybercriminals are prioritizing stolen credentials to enhance attacks and bypass security measures, even demonstrating a willingness to shift away from malware in favor of credential abuse to facilitate access and persistence in victim environments. This trend has also created clear demand for access broker services – criminal groups that sell stolen access credentials. There was a 112% year-over-year increase in advertisements for access broker services identified last year compared to 2021, with more than 2,500 advertisements for access detected across the criminal underground, according to the CrowdStrike 2023 Global Threat Report.

UK Editor

Michael Hill is the UK editor of CSO Online. He has spent the past five-plus years covering various aspects of the cybersecurity industry, with particular interest in the ever-evolving role of the human-related elements of information security. A keen storyteller with a passion for the publishing process, he enjoys working creatively to produce media that has the biggest possible impact on the audience.

More from this author