A dormant account is an account that has not been logged into for an extended period—typically 30, 60, or 90 days. In many organizations, these accounts sit silently, accumulating dust, but remaining perfectly valid.
The Silent Threat
Dormant accounts are exceptionally dangerous for two reasons:
- They go unnoticed: If an active user's account is compromised and someone else starts logging in, the legitimate user might notice anomalies. If a dormant account is compromised, nobody is watching.
- They accumulate privileges: Over time, accounts tend to gain permissions. An account created two years ago for a specific project might still have access to sensitive systems long after the project ended.
The Typical Culprits
- Contractors and Consultants: They finish their work, but their access is never revoked.
- Former Employees (Missed): Accounts that slipped through the offboarding process. These overlap directly with the ex-employee access problem, which is worth reading alongside this article.
- Abandoned Service Accounts: Integrations that were tested and forgotten.
The Fix: Continuous Pruning
Security hygiene requires continuous pruning. Dormant accounts should be automatically disabled or deleted. If someone genuinely needs the access again later, they can request it. The minor inconvenience of a re-provisioning request is a small price to pay for the massive reduction in attack surface.
Understanding your full SaaS access risk surface helps prioritize which dormant accounts to tackle first. Kastrum identifies accounts that have been inactive for configurable thresholds, allowing your team to clean up stale access before it becomes a vulnerability. See our solutions for identity hygiene.