5 Ways Ghost Accounts Haunt Your Cybersecurity

And how to ensure your systems aren’t open to attack from legacy or dormant user accounts

Busting ghost accounts should be a high priority for businesses these days.

You don’t want to get a non-compliance in an audit just because someone still has admin access months after they left. 

Dormant accounts lead to serious cybersecurity risks. It’s a bit like locking your front door without knowing who has all the spare keys. 

Fortunately, there are some simple ways to detect and stop ghost accounts, which we’ll cover in this article.

What Are Ghost Accounts? 

Ghost accounts are user profiles that haunt your system after a person has left or changed roles.

They usually happen because HR forgot to flag a resignation or missed an offboarding step. For example, a former finance manager might keep access to payroll software months after leaving, as the IT team wasn’t told by HR that they’d moved on.

What Are Zombie Accounts?

Zombie accounts are slightly different. A zombie account belongs to someone who still works within the company, but doesn’t use it anymore and forgot to shut it down.

For example, an admin staff member might move to another department, leaving an old account dormant with open system access and elevated permissions. Nobody has logged into it for months, but it hasn’t been disabled either. These can get flagged for non-compliance during an audit, or worse still, provide a convenient backdoor for hackers to get in and steal data.

Another example could be a developer who set up a test account during a product launch, gave it full admin access to speed things up, then forgot to delete it afterwards. Months later, it’s still there with wide-open permissions, an easy target for anyone looking to sneak in unnoticed.

Why Are Ghost Accounts Problematic?

Zombie and ghost accounts pose serious cybersecurity risks, and if a bad actor gains access, they can take a big chunk out of your bottom line. 

One of the most effective ways to deal with the ghost account problem is to use identity and access management (IAM) solutions, which prevent unauthorised access and include features to find and close ghost accounts. 

Before we look at IAMs in more depth, let’s see exactly how dormant accounts can hurt your organisation if they’re not addressed.

1. Nobody’s Using It, So Nobody’s Watching It

Because ghost accounts aren’t used daily, if a hacker gets in, they might be able to access your system without tripping any alarms. 

If the account is technically “active”, but unmonitored, suspicious activity won’t be flagged and attackers can poke around for days, weeks, months, or even years undetected.

For example, in January 2024, Microsoft experienced a serious internal security breach. The attackers didn’t brute-force a live system, instead gaining access through a forgotten non-production admin account used for testing. It had a weak password and no multi-factor authentication (MFA) which made it an easy target.

The zombie account gave intruders a backstage pass to sensitive internal emails and data from Microsoft’s cybersecurity and legal teams. This embarrassing and damaging data breach could have been easily avoided by detecting and shutting it down earlier.

2. No Flag During Audits

Legacy accounts for contractors and temp workers often fall outside the scope of regular access audits or typical IAM oversight. Sometimes they’re missed during offboarding, which makes them easy prey for hackers.

For example, Australian telecom company Tangerine suffered a major cyberattack in 2024, during which the personal data of 232,000 customers was hacked. The leaked information included names, email addresses, birth dates, and account numbers.

It turned out the breach stemmed from a single contractor’s login which was tied to a legacy customer database. The account wasn’t deactivated and data wasn’t secured well enough, allowing hackers to break in easily.

3. Shared Logins = Increased Risk

Ghost and zombie accounts are bad enough when one person has access, but what if several people do? People often share logins for things like admin or marketing tools within a department, even if it goes against company policy. 

If someone reuses a shared password outside of the organization or it gets leaked, a hacker could access the system and cause real problems.

4. Non-Compliance Has A Heavy Cost

A ghost account that has access to user data could land you in hot water with data privacy regulations, including GDPR in Europe and HIPAA in the US. Even if the account doesn’t get hacked, when auditors arrive you could face punishment.

If the account is ever linked to a serious data breach or serious negligence is proven, you can end up with fines that run into millions.

Severe violations of GDPR regulations see fines of up to €20 million, or 4% of global annual revenue, whichever is greater. In 2020, British Airways was fined nearly £20 million by the UK’s ICO (initially proposed at £183 million) after a data breach exposed hundreds of thousands of customers’ details.

5. Access Creep

Although not strictly related to ghost accounts, access creep occurs when team members gradually get more and more permissions over time. Maybe they help out another team and get temporary access to a tool that doesn’t get revoked when the project is over. Multiply that across a whole company, and you’ve got hundreds of people with more access than they need, widening the target for hackers.

Why Regular Access Reviews Are So Important

Verizon’s 2025 Data Breach Investigations Report revealed there has been a 34% increase in cyberattackers exploiting internal vulnerabilities in recent years. 

One way to combat this growing risk is to carry out regular access reviews. An access review is a checkup on who can get into what. Every few months, you ask questions like:

“Does Jamie still need access to this file, system, tool, dataset, or admin dashboard?”

If not, then you remove access. 

It sounds very basic, but it’s surprising how many organizations delay these reviews or skip them altogether. Sometimes it’s down to a lack of resources and time, but in some cases there’s also a lack of awareness.

Without frequent access reviews, you end up with ghost accounts and outdated permissions. They should be a core part of security hygiene, as they’re just as important as patching your software and updating your antivirus.

Save Time with IAM Tools

Many companies still do access reviews manually which means digging through logs and emailing managers. It works, but it’s slow and error-prone. That’s why it often gets pushed down the priority list.

These days, there’s a much easier way to review and stay in control of access management using IAM tools that automate a lot of the grunt work.

Spot Risky Access Automatically

Modern IAM tools can scan your systems and HR data in the background, flagging any dormant or suspicious accounts. The system gives you a heads-up when something looks off, such as an old admin account that hasn’t been touched for months but still has full access.

Schedule Regular Access Reviews

IAM tools can be set up to automatically run access reviews monthly, quarterly, or whenever works for your team. The tool checks who has access to what, then bundles the results into a simple overview. The report is sent straight to IT and HR department heads to review and approve. You get everything in one place, presented in a clean and clear way.

Revoke Access When People Leave

Some IAM platforms, like Identum’s eADM, go one step further. They link up directly with your HR system, such as Visma, Unit4, or Simployer, and instantly revoke access when someone leaves or changes roles. 

Get Onboarding Right Too

IAM tools also make onboarding easier. When someone joins, they get access to just what they need. When they leave, those permissions are automatically removed. It’s fast, clean, and a lot less risky than relying on email chains or manual checklists.

Cut Waste With License Tracking

If someone has a license they haven’t touched in six months, maybe they don’t need it anymore. Some IAM tools track how often software is actually used, which means you can spot unused licences and cut costs.

Make Changes Easy For Managers

IAM platforms often use simple, form-based workflows for access status changes. A manager fills out a request, e.g. “Jamie needs access to Tool X” and the system handles the rest. 

Build a Clear Audit Trail

Every login, every access change, and every file opened or modified can be logged in the system, giving you a full audit trail. If there’s ever a breach or a compliance check, you’ve got all the records you need at your fingertips.