Inactive accounts pose important account takeover safety dangers

Inactive and non-maintained accounts pose important safety dangers to customers and companies, with cybercriminals adept at utilizing data stolen from forgotten or in any other case non-upheld accounts to use energetic accounts. That’s in keeping with Okta’s first Customer Identity Trends Report which surveyed greater than 20,000 shoppers in 14 international locations about their on-line experiences and attitudes in the direction of digital safety and identification.

It discovered that growing identification sprawl can set off important account takeover (ATO) safety dangers resulting from accounts that haven’t been used and even thought of in years, notably if prospects reuse (or solely barely alter) passwords or don’t carry out safety critiques. A breach to any service might equip a menace actor with an enormous quantity of person credentials and related private information, with attackers adept at utilizing this data at scale to compromise energetic accounts together with essential enterprise accounts and networks.

The report got here after Google announced that it’s updating its inactivity coverage for Google Accounts to 2 years, that means that if a private account has not been used or signed into for at the least two years, it might delete the account and its contents. This contains content material inside Google Workspace (Gmail, Docs, Drive, Meet, Calendar) and Google Pictures, with the brand new guidelines coming into pressure no sooner than December 2023, the agency stated.

Account sprawl a contributing issue to inactive account dangers

The sheer quantity at which new accounts are arrange creates notable account churn – a sprawl-like idea the place newer accounts “retire” others with out including to a person’s assortment of energetic accounts. The older accounts should not deleted however typically change into unused and forgotten, typically for years. This proliferation of accounts is most prevalent amongst youthful customers, however important throughout most age teams, in keeping with Okta’s report. The estimated variety of new on-line accounts registered within the final three months by 18- to 29-year-olds is simply over 40, dropping barely to 35 and 34 for these aged 30-39 and 40-49, respectively. These aged 60 and over are estimated to have arrange round 20 new accounts within the final three months.

A big problem of account churn is the flexibility to securely handle and preserve digital footprints throughout massive numbers of accounts. Okta’s report discovered that 71% of respondents are conscious that their on-line actions go away an information path, however solely 44% take steps to mitigate it. Password administration seems to be a specific sticking level, with 63% of respondents reporting that they’re unable to log in to an account as a result of they forgot their username or password at the least as soon as a month, the report stated. Whereas password resets are normally attainable, customers would possibly resolve that the method is just not definitely worth the effort, resulting in extra account inactivity. Solely 52% of respondents reported that they nonetheless have entry to all their accounts, whereas simply 42% use completely different passwords for every account and solely 29% repeatedly assessment/change account privateness settings.

Inactive accounts much less doubtless to make use of MFA, obtain safety checks

Inactive accounts that haven’t been accessed for prolonged intervals of time usually tend to be compromised, in keeping with Google. “It’s because forgotten or unattended accounts typically depend on previous or re-used passwords which will have been compromised, haven’t had two-factor (2FA) authentication arrange, and obtain fewer safety checks by the person,” the agency added.