A cyberattack on an American city’s water utility was made possible after IT staff failed to disable a dormant account belonging to a long-departed auditor. This oversight granted hackers privileged access to control vital water management systems, highlighting major security lapses in account and access management.
- Dormant user account retained high-level access for years after employee departure
- Hackers leveraged leaked credentials linked to outdated work email
- Regular access audits and credential hygiene could prevent similar breaches
What happened
Hackers gained unauthorized access to a city’s network by exploiting an account belonging to a former auditor who had left employment years earlier. This ‘zombie’ account still held domain admin and SCADA control privileges, allowing the intruders to manipulate water utility systems and other network resources. Initial exploration by the attackers targeted less critical endpoints, but they quickly escalated to more sensitive operational controls once access was established.
The investigation traced the intrusion back to the dormant account, which had never been disabled or removed from the system. The former employee had used the official work email for external online accounts that were potentially exposed in previous data breaches. It is likely the hackers used leaked credentials related to this email to compromise the city’s systems, enabling them to carry out the attack without needing direct knowledge of internal authentication mechanisms.
Why it matters
This incident demonstrates the severe risks associated with neglecting user account lifecycle management in critical infrastructure environments. Leaving old accounts active with broad permissions creates easy attack vectors that can be exploited remotely, potentially endangering public safety. Water utilities control essential resources, and unauthorized tampering could disrupt service and risk public health.
Beyond the specific case, the breach highlights common security missteps such as reuse of passwords across multiple platforms and lack of regular reviews of user access privileges. Many organizations assume employee offboarding automatically includes account deprovisioning, but this case shows that assumption is dangerous without verification processes. Regular audits and strict credential policies are essential to prevent similar security failures.
What to watch next
Municipalities and critical infrastructure operators should prioritize thorough review and immediate revocation of access credentials for departing employees. Adoption of automated tools to identify dormant or unused accounts could significantly reduce exposure to such risks. Additionally, enforcing network segmentation and least privilege access along with enhanced monitoring for anomalous activity could mitigate damage in case of account compromise.
The broader cybersecurity community will be monitoring how this and similar incidents influence regulations and best practices for access control in public sector networks. Emphasis on mandatory periodic access reviews and stronger password management policies is expected to gain prominence. Stakeholders should also watch for emerging technologies focused on identifying and remediating ‘zombie’ accounts to bolster organizational defenses against insider-legacy threats.