Forgotten admin accounts become open doors for critical‑infrastructure attacks

When a city’s water‑utility SCADA system was briefly hijacked last month, the breach traced back to a single, long‑inactive user: “Greg from Auditing”. Greg left the municipal workforce years ago, yet his domain‑admin account remained active, still holding privileges to change pump settings, disable alarms and even reset help‑desk passwords. The attackers, after a low‑stakes “tour” of conference‑room projectors, discovered the dormant account, guessed the password that Greg reused on a public site, and used it to flip water‑treatment switches.

---

Why this incident matters

• Critical‑infrastructure exposure – SCADA networks control physical processes; a single credential can move water flow, alter chemical dosing, or shut down treatment plants. The water‑utility breach shows that cyber‑risk assessments must treat privileged accounts as physical‑security concerns.

• Account‑lifecycle gaps – Many municipal IT teams rely on manual off‑boarding. When an employee departs, HR notifies IT, but the actual deprovisioning steps—removing AD groups, revoking service‑account tokens, deleting cloud‑API keys—are often scattered across spreadsheets and legacy tools.

• Password reuse across domains – Greg’s work email was linked to a personal shopping site that suffered a data‑leak. The same password appeared in the breach dump, giving the attackers a ready‑made credential. Reusing passwords across corporate and consumer services remains a top‑ranking failure in the Verizon Data Breach Investigations Report.

---

Evidence from the investigation

Security engineer Nicole Beckwith, now at Cribl, was consulted after the city’s incident response team flagged the anomaly. Her team discovered:

1. An active AD account with domain‑admin rights that had not logged in for over three years.
2. SCADA operator permissions attached to the same account, granting direct control over pump stations.
3. Help‑desk password‑reset capability, allowing the attacker to pivot to other service accounts.
4. A password hash matching a known leak from a public breach of a retail site where Greg used his work email for a loyalty program.

The forensic timeline shows the attacker logged in, changed several valve states, and then logged out before the city’s monitoring tools raised an alarm. No contamination of the water supply occurred, but the episode prompted an emergency shutdown of the affected segment and a costly audit of all privileged accounts.

---

Counter‑perspectives and broader patterns

While the city’s failure to delete a dormant account is glaring, some experts caution against over‑simplifying the root cause. James Whitaker, a senior consultant at Mandiant, points out that many municipalities run on legacy Active Directory forests that lack modern automation APIs. “Even with the best policies, you need tooling that can scan for orphaned privileged objects and quarantine them automatically,” he says. In environments where budget constraints limit the purchase of privileged‑access‑management (PAM) platforms, manual reviews become a bottleneck.

Another angle focuses on the attacker’s methodology. The breach did not involve sophisticated zero‑day exploits; it relied on credential stuffing—automated attempts using leaked passwords. This suggests that improving password hygiene (unique, high‑entropy secrets and multi‑factor authentication) could have stopped the intrusion even if the account remained active. A recent Microsoft Security Intelligence report notes that MFA blocks over 99 % of credential‑stuffing attempts on privileged accounts.

Finally, some municipal IT leaders argue that continuous monitoring should complement periodic audits. Real‑time detection of anomalous privileged‑account activity—such as logins from unusual locations or at odd hours—can trigger immediate containment before an attacker reaches operational systems. Solutions like Azure Sentinel or Splunk Enterprise Security can ingest AD logs and SCADA telemetry to surface such patterns.

---

Takeaways for organizations of all sizes

1. Automate deprovisioning – Integrate HR exit workflows with identity‑management APIs so that an employee’s account is disabled the moment their HR record is marked as terminated.
2. Enforce MFA on all privileged accounts – Even if a password is compromised, a second factor blocks the attacker.
3. Conduct quarterly privileged‑access reviews – Use tools that enumerate group memberships, service‑account tokens, and SCADA roles in a single pane of glass.
4. Separate work and personal credentials – Encourage staff to use password managers and enforce policies that forbid reusing corporate passwords on consumer sites.
5. Deploy continuous monitoring – Correlate authentication events with operational telemetry to detect suspicious control‑system commands.

The water‑utility incident is a reminder that a single forgotten admin account can become a ticket to the front page. By tightening identity lifecycle processes, applying strong authentication, and watching privileged activity in real time, cities and companies can reduce the odds that a dormant user becomes a weapon in the hands of an opportunistic hacker.