Who Still Has Access? Zombie Accounts Are the Security Risk You’re Probably Ignoring

Bao Ha

/

/

Reading Time: 2 minutes

Okay, quick gut check:
If someone left your company six months ago… do they still have access to GitHub?

If you hesitated—even for a second—let’s talk.

Because here’s the thing: in most scaleups, access management is kind of like flossing. Everyone knows it’s important. Nobody does it as often as they should.

The Quiet Security Threat That Grows While You Sleep

Zombie accounts are real.
And no, I’m not talking about phishing emails or zero-days.
I mean the engineer who left in January.
The intern from last summer.
The contractor who helped with a migration… in 2022.

They’re gone.
But their access?
Still alive and kicking.

That means stale GitHub accounts tied to Gmail addresses.
Slack API tokens that haven’t been rotated since the last funding round.
Old AWS IAM users with full admin access and no MFA.

Some of these accounts:

  • Aren’t behind SSO
  • Don’t show up in your dashboards
  • Still work just fine

And that’s terrifying.

This Isn’t Just IT Hygiene. It’s a Door Left Wide Open.

If you’re a CTO, you don’t need me to tell you what happens next.
An old credential leaks.
An unused API token gets scraped.
Suddenly, a long-dormant user becomes the pivot point in an actual breach.

Zombie access is the worst kind of risk—because it’s both high-privilege and invisible.

Why Most Teams Miss This (Even the Smart Ones)

Look, no one wakes up and says “Let’s make our IAM sloppy.”
But this stuff falls through the cracks because:

  • Onboarding is fast. Offboarding isn’t.
  • Security owns tooling. But offboarding lives with HR.
  • Everyone’s focused on shipping. Until they’re focused on incident response.

And if you’ve got a distributed team or contractors? It gets worse.

What You Can Do (And Yes, You Can Do It in a Sprint)

You don’t need a six-month IAM overhaul.
You just need to be deliberate about closing the loop.

Here’s a punch list that works:

  • ✅ Hook HR and Slack into offboarding
     When someone leaves, trigger a cleanup checklist automatically.
  • ✅ Audit by identity, not just email
     Look for anything tied to personal domains—especially Gmail, Outlook, or vendor domains.
  • ✅ Kill dormant accounts
     Anything idle for 30+ days? Flag it. 60+? Kill it.
  • ✅ Rotate shared credentials
     If you’re still sharing VPN creds or SSH keys (and yes, many are), rotate on contractor exit—every time.
  • ✅ Enforce SSO + MFA
     Everywhere. No more “legacy tool” exceptions for dev environments.

You can knock out most of this in a week. And the payoff?
Long-term resilience that scales with your team.

IAM Doesn’t Scale in Your Head

At 10 people, you can track access mentally.
At 50, you can’t.
At 150+, it’s a security incident waiting to happen.

If you’re leading infrastructure or product security, this isn’t optional hygiene—it’s foundational. And if no one owns it? It owns you.

Hire and Pay Anyone 
in 150+ countries

We handle all legal compliance and payroll work, so you can focus on scaling your company and global team.

HIRE INTERNATIONALLY NOW

Categories

Hire Skilled Developers for your Mission-Critical Software Projects

Enhance your tech team with a curated list of candidates that are pre-qualified for the skills you need.

INTERVIEW DEVELOPERS IN 48H

Related Posts

🛡 Exposed from the Inside: How IAM Missteps Turn Small Breaches Into Full-Scale Ransomware Incidents 🛠 Everyone’s an Admin: The Hidden Risk Lurking in Your Engineering Access hiring-abroad-legal-risksWhat Are The Legal Risks When Hiring Abroad? How To Resolve Them? ☁️ Backups Won’t Save You: Why Cloud and Data Resilience Fall Apart Without Security