AQ'S Corner

Old accounts aren’t just clutter; they’re risks. Here’s how a 3 a.m. alert reminded me why Identity and Access Management matters, even at home.

At 3 a.m., I woke up to one of those alerts no one likes to see: an old account of mine on a platform I hadn’t touched in years first showed a failed password attempt, then a successful password change. I had assumed I’d already closed out every account on that platform, but one slipped through. To make things more interesting, it was tied to an email address I rarely use anymore but still monitor. (The good news? That email account does have MFA, so at least the “old gatekeeper” was locked up properly.)

The account itself was created before multi-factor authentication (MFA) became common. While MFA existed in earlier forms: like bank cards and PINs. It wasn’t until the early 2010s that companies such as Google and Microsoft made it mainstream. This account came from that “pre-MFA” era, when added security wasn’t yet the default.

I wasn’t surprised. I knew exactly what was happening and why. Dormant accounts are often the easiest targets. They don’t benefit from modern security updates, they’re rarely monitored, and they usually lack protections like MFA. Attackers count on people forgetting about them. That’s why I immediately deleted the account. But I didn’t stop there. I used the moment as a checkpoint to scan through my digital footprint. I started identifying other accounts I no longer used and deleted them, too. By eliminating unnecessary accounts, I was reducing my attack surface, the total number of doors and windows an attacker could try to get through.

This kind of cleanup is part of a major area of cybersecurity called Identity and Access Management (IAM). IAM is all about making sure the right people have the right access to the right systems, and just as importantly, that people don’t keep access they no longer need. Within IAM, there’s a concept called Account Lifecycle Management. Think of it like the life story of an account: it’s created, it’s used, and eventually, it should be closed when it no longer serves a purpose. The problem is, many people never get to that last step. That’s how old, forgotten accounts become dangling threads for attackers to pull on.

This ties directly into three important risk concepts: risk avoidance, risk acceptance, and risk appetite.

Risk Avoidance is choosing to remove a potential threat altogether. For me, shutting down unused accounts was risk avoidance in action. If I don’t need it, I don’t keep it.

Risk Acceptance is understanding that some risk will always exist. Even with MFA and strong passwords, nothing online is completely risk-free. I accept that reality, because the benefits of living and working online far outweigh the risks of disconnecting.

Risk Appetite is about how much risk you’re willing to live with. Everyone has a different threshold. I have a very low appetite for keeping old accounts around. The value just isn’t there compared to the exposure they create.

That 3 a.m. alert didn’t surprise me; it reinforced something I already practice: dormant accounts are liabilities. They’re outdated, unmonitored, and exactly the kind of low-hanging fruit attackers go after.

My advice is simple: do your own IAM check-up. Audit your accounts. Keep the ones you use, secure them with MFA and strong passwords, and close the ones that are gathering dust. You don’t leave every door in your house unlocked just because you’re not using it. Don’t do it with your digital life either.